SlideShare a Scribd company logo

Application Hackers Have A Handbook. Why Shouldn't You?

Download as PPTX, PDF
London School of Cyber Security
London School of Cyber Security
Technology
1 of 22
August 13, 2013 Application Hackers Have a Handbook. . . Why Shouldn't You?
1 Today’s Vulnerabilities 2 Real World Application Security Lifecycle 3 Holistic Application Security Solution AGENDA
Web Application Vulnerabilities 3
Improving Business Intelligence Your Objective: • Improve visibility across systems • Monitor, control and detect anomalies and compromise • Correlate events and instruct devices across the network • Dynamically enforce policies and rules across technologies Cybercriminals aggressively exploit the weakness of siloed monitoring and controls. ONLY 24% OF BREACHES ARE SELF-DETECTED Business and Threat Intelligence • Security Information and Event Management (SIEM) • Web Application Firewall • Global Threat Database • Threat Research and Advisory Services Source: 2013 Trustwave Global Security Report
0 10 20 30 40 50 60 2011 2013* 2015* Tablet apps Smartphone apps March 2012 “Mobile App is the new fact of engagement” Mobile apps: $6 billion Market today Will hit $ 55.7 billion by 2015 Mobile Apps are Taking Off 5
iOS Architecture – Security Weaknesses • All processes of interest run with administrative privileges • iPhone does not utilize some widely accepted practices – Address randomization • The stack, heap, and executable code located at precisely the same spot in memory – Non-executable heaps • Buffer overflow on heap can write executable instructions 6
Android Architecture – Security Weaknesses • Google decided against (in initial release) – stack and heap non-execute protections • GIF image vulnerability – Decode function uses logical screen width and height to allocate heap – Can overflow the heap buffer allowing hacker to control the phone • Vulnerability is in the multimedia subsystem made by PacketVideo – Due to insufficient boundary checking – It’s possible to corrupt the heap and execute arbitrary code on the device 7
Securing Web & Mobile Applications Your Objective: • Ensure secure development of web and mobile applications • Prevent Layer 7 attacks and dynamically protect web applications • Maintain application performance 360 Application Security • Secure App Development Training • Secure Code Review • Mobile Application Penetration Testing • Web Application Penetration Testing • Web Application Firewall • SSL Certificates TOP APP ATTACK METHODS e-commerce sites are the #1 targeted asset of hackers. Source: 2013 Trustwave Global Security Report
9 Application Security -- A Lifecycle View Security review Architecture audits Code review Static analysis Dynamic testing Penetration testing Application firewalls SDLC Production Application security training
10 Challenges to Implement Application Security Manual process Error prone Lack of expertise Lack of incentive Complex to carry out Time-to-market pressure Lack of influence Lack of code visibility Different priorities No code & design visibility No root cause info Lack of influence Lack of visibility and integration Application security training
Securing Web & eMail Your Objective: • Create a layered defense • Improve anti-malware power at the gateway • Enable safe and productive use of social media • Get control of data from creation to destruction Content Security and Control • Threat Research & Advisory Services/Feeds • Secure Web Gateway • Web Application Firewall • Secure Email Gateway • Data Loss Prevention • Data Encryption • Security Awareness Education Web-based systems are the most utilized threat vector of hackers. AVERAGE TIME FROM BREACH TO DETECTION: 210 DAY Source: 2013 Trustwave Global Security Report
This Means … • Defects are found later in the lifecycle – Increased remediation cost • Often security defects are not fixed due to separate agenda and accountability structures – Developers are under time-to-market pressure • Silo-ed model does not scale – How many auditors do you need to cover all your apps? 30x 0 5 10 15 20 25 30 Development Integration Audit/test Production Cost for defect fixes Source: NIST 1x 5x 10x 12
Why Application Security? • Applications are vulnerable • 44% of organizations feel that application vulnerabilities pose the greatest threat to them in 2012. Source: InformationWeek 2012 Strategic Security Survey. • Fixing them is expensive • A recent study of more than 150 organizations found the average total cost to remediate a single application security incident is approximately $300,000. • Late fixes are even more expensive • It is 5 times more expensive to fix a flaw in development than during design, 10 times more in testing, and 30 times more in deployment. Source: National Institute of Standards and Technology. 13
14 What We Need: The Shape of An Ideal Solution More automated design audits and threat modeling • Easy to use static analysis • Suitable for developers • Meaningful remediation guidance • Integrated with dynamic tests • Integrated with static analysis • Provide input back to dev • Scanning and intelligent pen testing • Virtual patching • Real time attack blocking • Continuous deployment support Application security training
That said -- You don’t have to tackle everything at once, but you need a strategy to get there! 15
Recommendations • Immediate to-do list – Invest in WAF technology for all your external-facing web applications – Invest in developer training, focusing on on-the-job training – Invest in static analysis technology, start small • Medium-term to-do list – Perform dynamic scan on all of your applications – Define your selective penetration testing strategy – Populate static analysis – Prioritize remediation • Long-term to-do list – Build your complete application security competency 16
Ready To Get Started? • Get “Addressing the OWASP Top 10 with Trustwave WebDefend” White Paper – https://www.trustwave.com/application-security/ • Take the OWASP Top 10 Threats & Mitigations Course for free! • We can show you how to protect your applications in 30 minutes or less. Start your proof of concept with Trustwave WebDefend now! 17 17
About Trustwave Founded in 1995 Almost 1100 employees in 26 locations worldwide Nearly 2.5 million merchants trust us for their compliance and security needs Robust portfolio of risk management, compliance and security solutions Leading provider of Cloud Security through our award-winning TrustKeeper portal Leading provider of Managed Security Services, with global 365x24x7 operations Trustwave SpiderLabs has performed over 14,000 penetration tests and 1,500 forensic investigations 18
Simple Solutions to Complex Challenges 19
360 Application Security • The industry’s only holistic application security lifecycle solution • Enables an organization to secure their applications while meeting regulatory and compliance requirements in a simple way 20
Summary • Application security should be addressed from design to production • Best practice is with a lifecycle approach • Trustwave’s 360 Application Security solution, including the award-winning WebDefend WAF, can help you start protecting your applications today 21
QUESTIONS

Recommended

Outpost24 Webinar - Creating a sustainable application security program to dr...
Outpost24 Webinar - Creating a sustainable application security program to dr...Outpost24 Webinar - Creating a sustainable application security program to dr...
Outpost24 Webinar - Creating a sustainable application security program to dr...Outpost24
 
Outpost24 Webinar - Five steps to build a killer Application Security Program
Outpost24 Webinar - Five steps to build a killer Application Security ProgramOutpost24 Webinar - Five steps to build a killer Application Security Program
Outpost24 Webinar - Five steps to build a killer Application Security ProgramOutpost24
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramMichael Davis
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUlf Mattsson
 
六合彩香港-六合彩
六合彩香港-六合彩六合彩香港-六合彩
六合彩香港-六合彩baoyin
 
Outpost24 webinar: Security Analytics: what's in a risk score
Outpost24 webinar: Security Analytics: what's in a risk scoreOutpost24 webinar: Security Analytics: what's in a risk score
Outpost24 webinar: Security Analytics: what's in a risk scoreOutpost24
 
How to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsHow to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsEnterprise Management Associates
 

Recommended

Outpost24 Webinar - Creating a sustainable application security program to dr...
Outpost24 Webinar - Creating a sustainable application security program to dr...Outpost24 Webinar - Creating a sustainable application security program to dr...
Outpost24 Webinar - Creating a sustainable application security program to dr...Outpost24
 
Outpost24 Webinar - Five steps to build a killer Application Security Program
Outpost24 Webinar - Five steps to build a killer Application Security ProgramOutpost24 Webinar - Five steps to build a killer Application Security Program
Outpost24 Webinar - Five steps to build a killer Application Security ProgramOutpost24
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramMichael Davis
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUlf Mattsson
 
六合彩香港-六合彩
六合彩香港-六合彩六合彩香港-六合彩
六合彩香港-六合彩baoyin
 
Outpost24 webinar: Security Analytics: what's in a risk score
Outpost24 webinar: Security Analytics: what's in a risk scoreOutpost24 webinar: Security Analytics: what's in a risk score
Outpost24 webinar: Security Analytics: what's in a risk scoreOutpost24
 
How to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsHow to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsEnterprise Management Associates
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLCNazar Tymoshyk, CEH, Ph.D.
 
Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Security Innovation
 
Web Application Security Strategy
Web Application Security Strategy Web Application Security Strategy
Web Application Security Strategy Network Intelligence India
 
Breached! App Attacks, Application Protection and Incident Response
Breached! App Attacks, Application Protection and Incident ResponseBreached! App Attacks, Application Protection and Incident Response
Breached! App Attacks, Application Protection and Incident ResponseResilient Systems
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Outpost24 webinar - Busting the myths of cloud security
Outpost24 webinar - Busting the myths of cloud security Outpost24 webinar - Busting the myths of cloud security
Outpost24 webinar - Busting the myths of cloud security Outpost24
 
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...Outpost24
 
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...Outpost24
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Imola Informatica
 
Threat Exposure Management - Reduce your Risk of a Breach
Threat Exposure Management - Reduce your Risk of a BreachThreat Exposure Management - Reduce your Risk of a Breach
Threat Exposure Management - Reduce your Risk of a BreachRahul Neel Mani
 
Application Security - Making It Work
Application Security - Making It WorkApplication Security - Making It Work
Application Security - Making It WorkIANS
 
BSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software SecurityBSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software SecurityCigital
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'Positive Hack Days
 
Alert Logic - Corporate Overview
Alert Logic - Corporate OverviewAlert Logic - Corporate Overview
Alert Logic - Corporate Overviewbmiller144
 
Using 80 20 rule in application security management
Using 80 20 rule in application security managementUsing 80 20 rule in application security management
Using 80 20 rule in application security managementDaveEdwards12
 
Get Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM AssessmentGet Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM AssessmentCigital
 
The Path to Proactive Application Security
The Path to Proactive Application SecurityThe Path to Proactive Application Security
The Path to Proactive Application SecurityCigital
 
Healthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeHealthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeVeracode
 
Website security statistics of 2012
Website security statistics of 2012Website security statistics of 2012
Website security statistics of 2012Bee_Ware
 
Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007Denim Group
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsTechWell
 

More Related Content

What's hot

Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Security Innovation
 
Breached! App Attacks, Application Protection and Incident Response
Breached! App Attacks, Application Protection and Incident ResponseBreached! App Attacks, Application Protection and Incident Response
Breached! App Attacks, Application Protection and Incident ResponseResilient Systems
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Outpost24 webinar - Busting the myths of cloud security
Outpost24 webinar - Busting the myths of cloud security Outpost24 webinar - Busting the myths of cloud security
Outpost24 webinar - Busting the myths of cloud security Outpost24
 
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...Outpost24
 
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...Outpost24
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Imola Informatica
 
Threat Exposure Management - Reduce your Risk of a Breach
Threat Exposure Management - Reduce your Risk of a BreachThreat Exposure Management - Reduce your Risk of a Breach
Threat Exposure Management - Reduce your Risk of a BreachRahul Neel Mani
 
Application Security - Making It Work
Application Security - Making It WorkApplication Security - Making It Work
Application Security - Making It WorkIANS
 
BSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software SecurityBSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software SecurityCigital
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'Positive Hack Days
 
Alert Logic - Corporate Overview
Alert Logic - Corporate OverviewAlert Logic - Corporate Overview
Alert Logic - Corporate Overviewbmiller144
 
Using 80 20 rule in application security management
Using 80 20 rule in application security managementUsing 80 20 rule in application security management
Using 80 20 rule in application security managementDaveEdwards12
 
Get Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM AssessmentGet Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM AssessmentCigital
 
The Path to Proactive Application Security
The Path to Proactive Application SecurityThe Path to Proactive Application Security
The Path to Proactive Application SecurityCigital
 
Healthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeHealthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeVeracode
 
Website security statistics of 2012
Website security statistics of 2012Website security statistics of 2012
Website security statistics of 2012Bee_Ware
 

What's hot (20)

Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016
 
Web Application Security Strategy
Web Application Security Strategy Web Application Security Strategy
Web Application Security Strategy
 
Breached! App Attacks, Application Protection and Incident Response
Breached! App Attacks, Application Protection and Incident ResponseBreached! App Attacks, Application Protection and Incident Response
Breached! App Attacks, Application Protection and Incident Response
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Outpost24 webinar - Busting the myths of cloud security
Outpost24 webinar - Busting the myths of cloud security Outpost24 webinar - Busting the myths of cloud security
Outpost24 webinar - Busting the myths of cloud security
 
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
 
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018
 
Threat Exposure Management - Reduce your Risk of a Breach
Threat Exposure Management - Reduce your Risk of a BreachThreat Exposure Management - Reduce your Risk of a Breach
Threat Exposure Management - Reduce your Risk of a Breach
 
Application Security - Making It Work
Application Security - Making It WorkApplication Security - Making It Work
Application Security - Making It Work
 
BSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software SecurityBSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software Security
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
 
Alert Logic - Corporate Overview
Alert Logic - Corporate OverviewAlert Logic - Corporate Overview
Alert Logic - Corporate Overview
 
Using 80 20 rule in application security management
Using 80 20 rule in application security managementUsing 80 20 rule in application security management
Using 80 20 rule in application security management
 
Get Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM AssessmentGet Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM Assessment
 
The Path to Proactive Application Security
The Path to Proactive Application SecurityThe Path to Proactive Application Security
The Path to Proactive Application Security
 
Healthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeHealthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracode
 
Website security statistics of 2012
Website security statistics of 2012Website security statistics of 2012
Website security statistics of 2012
 

Viewers also liked

Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007Denim Group
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsTechWell
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacksRoberto Suggi Liverani
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)ClubHack
 
Hacking for Fun and Profit
Hacking for Fun and ProfitHacking for Fun and Profit
Hacking for Fun and ProfitApkudo
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesDenim Group
 
Basic reverse engineering steps about .apk file
Basic reverse engineering steps about .apk fileBasic reverse engineering steps about .apk file
Basic reverse engineering steps about .apk fileCarl Lu
 
Decompiling Android Workshop
Decompiling Android WorkshopDecompiling Android Workshop
Decompiling Android WorkshopGodfrey Nolan
 
Rolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review ProgramRolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review ProgramDenim Group
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code ReviewsDenim Group
 
Scripting Your Qt Application
Scripting Your Qt ApplicationScripting Your Qt Application
Scripting Your Qt Applicationaccount inactive
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101ysurer
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile ApplicationsDenim Group
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskSecurity Innovation
 
Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment TechniquesDenim Group
 

Viewers also liked (18)

Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web Apps
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacks
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
Hacking for Fun and Profit
Hacking for Fun and ProfitHacking for Fun and Profit
Hacking for Fun and Profit
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
 
XSS Remediation
XSS RemediationXSS Remediation
XSS Remediation
 
Basic reverse engineering steps about .apk file
Basic reverse engineering steps about .apk fileBasic reverse engineering steps about .apk file
Basic reverse engineering steps about .apk file
 
Decompiling Android Workshop
Decompiling Android WorkshopDecompiling Android Workshop
Decompiling Android Workshop
 
Rolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review ProgramRolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review Program
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code Reviews
 
Software development with qt
Software development with qtSoftware development with qt
Software development with qt
 
Scripting Your Qt Application
Scripting Your Qt ApplicationScripting Your Qt Application
Scripting Your Qt Application
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security Risk
 
Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment Techniques
 

Similar to Application Hackers Have A Handbook. Why Shouldn't You?

Enterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and complianceEnterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and complianceSPAN Infotech (India) Pvt Ltd
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)Norm Barber
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Alert Logic
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Rightpvanwoud
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Programcentralohioissa
 
Top 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdfTop 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdfSolviosTechnology
 
How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...kunwaratul hax0r
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
What's Wrong with Vulnerability Management & How Can We Fix It
What's Wrong with Vulnerability Management & How Can We Fix ItWhat's Wrong with Vulnerability Management & How Can We Fix It
What's Wrong with Vulnerability Management & How Can We Fix ItSkybox Security
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Denim Group
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldiMIS
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldiMIS
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
Zero Trust: Redefining Security in the Digital Age
Zero Trust: Redefining Security in the Digital AgeZero Trust: Redefining Security in the Digital Age
Zero Trust: Redefining Security in the Digital AgeArnold Antoo
 
Case Closed with IBM Application Security on Cloud infographic
Case Closed with IBM Application Security on Cloud infographicCase Closed with IBM Application Security on Cloud infographic
Case Closed with IBM Application Security on Cloud infographicIBM Security
 

Similar to Application Hackers Have A Handbook. Why Shouldn't You? (20)

Enterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and complianceEnterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and compliance
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
Web Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN TestingWeb Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN Testing
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Top 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdfTop 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdf
 
Many products-no-security (1)
Many products-no-security (1)Many products-no-security (1)
Many products-no-security (1)
 
How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 
What's Wrong with Vulnerability Management & How Can We Fix It
What's Wrong with Vulnerability Management & How Can We Fix ItWhat's Wrong with Vulnerability Management & How Can We Fix It
What's Wrong with Vulnerability Management & How Can We Fix It
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile World
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile World
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Zero Trust: Redefining Security in the Digital Age
Zero Trust: Redefining Security in the Digital AgeZero Trust: Redefining Security in the Digital Age
Zero Trust: Redefining Security in the Digital Age
 
Case Closed with IBM Application Security on Cloud infographic
Case Closed with IBM Application Security on Cloud infographicCase Closed with IBM Application Security on Cloud infographic
Case Closed with IBM Application Security on Cloud infographic
 

More from London School of Cyber Security

How To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsHow To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsLondon School of Cyber Security
 
Website Impersonation Attacks. Who is REALLY Behind That Mask?
Website Impersonation Attacks. Who is REALLY Behind That Mask?Website Impersonation Attacks. Who is REALLY Behind That Mask?
Website Impersonation Attacks. Who is REALLY Behind That Mask?London School of Cyber Security
 
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker HotshotsChanging the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker HotshotsLondon School of Cyber Security
 

More from London School of Cyber Security (20)

The Panama Papers Hack
The Panama Papers HackThe Panama Papers Hack
The Panama Papers Hack
 
ISIS and Cyber Terrorism
ISIS and Cyber TerrorismISIS and Cyber Terrorism
ISIS and Cyber Terrorism
 
Silk Road & Online Narcotic Distribution
Silk Road & Online Narcotic DistributionSilk Road & Online Narcotic Distribution
Silk Road & Online Narcotic Distribution
 
Ashely Madison Hack
Ashely Madison HackAshely Madison Hack
Ashely Madison Hack
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot Attacks
 
How To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsHow To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and Forensics
 
How To Catch a Phish: User Awareness and Training
How To Catch a Phish: User Awareness and TrainingHow To Catch a Phish: User Awareness and Training
How To Catch a Phish: User Awareness and Training
 
Advanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsAdvanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA Environments
 
What Everybody Ought to Know About PCI DSS and PA-DSS
What Everybody Ought to Know About PCI DSS and PA-DSSWhat Everybody Ought to Know About PCI DSS and PA-DSS
What Everybody Ought to Know About PCI DSS and PA-DSS
 
Building an Effective Cyber Intelligence Program
Building an Effective Cyber Intelligence ProgramBuilding an Effective Cyber Intelligence Program
Building an Effective Cyber Intelligence Program
 
Crowdsourced Vulnerability Testing
Crowdsourced Vulnerability TestingCrowdsourced Vulnerability Testing
Crowdsourced Vulnerability Testing
 
Memory forensics and incident response
Memory forensics and incident responseMemory forensics and incident response
Memory forensics and incident response
 
Gauntlt Rugged By Example
Gauntlt Rugged By ExampleGauntlt Rugged By Example
Gauntlt Rugged By Example
 
Website Impersonation Attacks. Who is REALLY Behind That Mask?
Website Impersonation Attacks. Who is REALLY Behind That Mask?Website Impersonation Attacks. Who is REALLY Behind That Mask?
Website Impersonation Attacks. Who is REALLY Behind That Mask?
 
Sploitego
SploitegoSploitego
Sploitego
 
Legal Issues in Mobile Security Research
Legal Issues in Mobile Security ResearchLegal Issues in Mobile Security Research
Legal Issues in Mobile Security Research
 
Blind XSS
Blind XSSBlind XSS
Blind XSS
 
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker HotshotsChanging the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
 
Sploitego
SploitegoSploitego
Sploitego
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT Security
 

Recently uploaded

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 

Recently uploaded (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 

Application Hackers Have A Handbook. Why Shouldn't You?

  • 1. August 13, 2013 Application Hackers Have a Handbook. . . Why Shouldn't You?
  • 2. 1 Today’s Vulnerabilities 2 Real World Application Security Lifecycle 3 Holistic Application Security Solution AGENDA
  • 4. Improving Business Intelligence Your Objective: • Improve visibility across systems • Monitor, control and detect anomalies and compromise • Correlate events and instruct devices across the network • Dynamically enforce policies and rules across technologies Cybercriminals aggressively exploit the weakness of siloed monitoring and controls. ONLY 24% OF BREACHES ARE SELF-DETECTED Business and Threat Intelligence • Security Information and Event Management (SIEM) • Web Application Firewall • Global Threat Database • Threat Research and Advisory Services Source: 2013 Trustwave Global Security Report
  • 5. 0 10 20 30 40 50 60 2011 2013* 2015* Tablet apps Smartphone apps March 2012 “Mobile App is the new fact of engagement” Mobile apps: $6 billion Market today Will hit $ 55.7 billion by 2015 Mobile Apps are Taking Off 5
  • 6. iOS Architecture – Security Weaknesses • All processes of interest run with administrative privileges • iPhone does not utilize some widely accepted practices – Address randomization • The stack, heap, and executable code located at precisely the same spot in memory – Non-executable heaps • Buffer overflow on heap can write executable instructions 6
  • 7. Android Architecture – Security Weaknesses • Google decided against (in initial release) – stack and heap non-execute protections • GIF image vulnerability – Decode function uses logical screen width and height to allocate heap – Can overflow the heap buffer allowing hacker to control the phone • Vulnerability is in the multimedia subsystem made by PacketVideo – Due to insufficient boundary checking – It’s possible to corrupt the heap and execute arbitrary code on the device 7
  • 8. Securing Web & Mobile Applications Your Objective: • Ensure secure development of web and mobile applications • Prevent Layer 7 attacks and dynamically protect web applications • Maintain application performance 360 Application Security • Secure App Development Training • Secure Code Review • Mobile Application Penetration Testing • Web Application Penetration Testing • Web Application Firewall • SSL Certificates TOP APP ATTACK METHODS e-commerce sites are the #1 targeted asset of hackers. Source: 2013 Trustwave Global Security Report
  • 9. 9 Application Security -- A Lifecycle View Security review Architecture audits Code review Static analysis Dynamic testing Penetration testing Application firewalls SDLC Production Application security training
  • 10. 10 Challenges to Implement Application Security Manual process Error prone Lack of expertise Lack of incentive Complex to carry out Time-to-market pressure Lack of influence Lack of code visibility Different priorities No code & design visibility No root cause info Lack of influence Lack of visibility and integration Application security training
  • 11. Securing Web & eMail Your Objective: • Create a layered defense • Improve anti-malware power at the gateway • Enable safe and productive use of social media • Get control of data from creation to destruction Content Security and Control • Threat Research & Advisory Services/Feeds • Secure Web Gateway • Web Application Firewall • Secure Email Gateway • Data Loss Prevention • Data Encryption • Security Awareness Education Web-based systems are the most utilized threat vector of hackers. AVERAGE TIME FROM BREACH TO DETECTION: 210 DAY Source: 2013 Trustwave Global Security Report
  • 12. This Means … • Defects are found later in the lifecycle – Increased remediation cost • Often security defects are not fixed due to separate agenda and accountability structures – Developers are under time-to-market pressure • Silo-ed model does not scale – How many auditors do you need to cover all your apps? 30x 0 5 10 15 20 25 30 Development Integration Audit/test Production Cost for defect fixes Source: NIST 1x 5x 10x 12
  • 13. Why Application Security? • Applications are vulnerable • 44% of organizations feel that application vulnerabilities pose the greatest threat to them in 2012. Source: InformationWeek 2012 Strategic Security Survey. • Fixing them is expensive • A recent study of more than 150 organizations found the average total cost to remediate a single application security incident is approximately $300,000. • Late fixes are even more expensive • It is 5 times more expensive to fix a flaw in development than during design, 10 times more in testing, and 30 times more in deployment. Source: National Institute of Standards and Technology. 13
  • 14. 14 What We Need: The Shape of An Ideal Solution More automated design audits and threat modeling • Easy to use static analysis • Suitable for developers • Meaningful remediation guidance • Integrated with dynamic tests • Integrated with static analysis • Provide input back to dev • Scanning and intelligent pen testing • Virtual patching • Real time attack blocking • Continuous deployment support Application security training
  • 15. That said -- You don’t have to tackle everything at once, but you need a strategy to get there! 15
  • 16. Recommendations • Immediate to-do list – Invest in WAF technology for all your external-facing web applications – Invest in developer training, focusing on on-the-job training – Invest in static analysis technology, start small • Medium-term to-do list – Perform dynamic scan on all of your applications – Define your selective penetration testing strategy – Populate static analysis – Prioritize remediation • Long-term to-do list – Build your complete application security competency 16
  • 17. Ready To Get Started? • Get “Addressing the OWASP Top 10 with Trustwave WebDefend” White Paper – https://www.trustwave.com/application-security/ • Take the OWASP Top 10 Threats & Mitigations Course for free! • We can show you how to protect your applications in 30 minutes or less. Start your proof of concept with Trustwave WebDefend now! 17 17
  • 18. About Trustwave Founded in 1995 Almost 1100 employees in 26 locations worldwide Nearly 2.5 million merchants trust us for their compliance and security needs Robust portfolio of risk management, compliance and security solutions Leading provider of Cloud Security through our award-winning TrustKeeper portal Leading provider of Managed Security Services, with global 365x24x7 operations Trustwave SpiderLabs has performed over 14,000 penetration tests and 1,500 forensic investigations 18
  • 19. Simple Solutions to Complex Challenges 19
  • 20. 360 Application Security • The industry’s only holistic application security lifecycle solution • Enables an organization to secure their applications while meeting regulatory and compliance requirements in a simple way 20
  • 21. Summary • Application security should be addressed from design to production • Best practice is with a lifecycle approach • Trustwave’s 360 Application Security solution, including the award-winning WebDefend WAF, can help you start protecting your applications today 21

Editor's Notes

  1. Stripped down and customized version of Mac OS Xdoes not have common binaries such as bash, ssh, or even ls.MobileSafari - many features of Safari have been removedNo Flash plug-in, many file types cannot be downloaded
  2. Each application runs with its UID in its own Dalvik virtual machineProvides CPU protection, memory protectionAuthenticated communication protection using Unix domain socketsOnly ping, zygote (spawn another process) run as rootApplications announces permission requirementCreate a whitelist model – user grants accessBut don’t want to ask user often – all questions asked as install timeInter-component communication reference monitor checks permissions
  3. Train your developersReview your codeTest, test and test againProtect in real-time and virtual patch with technologies like web application firewalls
  4. Trustwave provides a unified set of offerings to help you address the security challenges and trends we just mentioned. And we do it by hiding the complexity of the environment.At the end of the day, this is what we want the customer to remember – four things about Trustwave that are unique and we do better than anyone else. And how these areas all work together to address customer issues.SpiderLabs – Simple is IntelligentSpiderLabs is the advanced Security team at Trustwave and drives our security research, penetration testing, and incident response offerings. SpiderLabs has completed thousands of forensics investigations, application and network penetration tests in over 50 countries – we believe more than any other provider. SpiderLabs are “ethical hackers at the leading edge of security”.This deep experience gives SpiderLabs unparalleled insight into current and emerging security threats, which then provides real-time threat intelligence to significantly enhance our security products as well as managed security offerings. In fact, we just announced the SpiderLabs Threat Intelligence program where organizations can also get the same threat knowledge we have been providing our internal MSS – this is focused in the areas of Malware, Mobility, Infrastructure and Virtualization/Cloud. SpiderLabs is also very active in sharing our insights with the security community, such as publishing research papers, speaking at events like DefCon and BlackHat and perhaps most visibly, the annual Global Security Report. Unified Security – Simple is UnifiedThe current approach to security, we think, is ineffective. The world has changed – too many threats, evolving far too quickly from a diverse set of attack vectors. Days and sometimes months pass before a company even realizes it has been compromised. According to the latest Global Security Report, only 16% of all organizations were able to self-detect an attack! This disturbing stat also highlights another major challenge - the complexity that organizations face.Trustwave’s Unified Security approach is designed to address this changing world. We have a comprehensive set of security offerings to protect you from the web layer, to the application layer to the network layer and finally to the data layer. Our offerings include award winning secure web gateways, web filters, web app firewalls, network access control, UTM, data loss prevention, secure email gateways, and encryption products. What is unique is how we deliver these products as unified solutions to provide better security and simplicity of use. Trustwave solutions collaborate with our award winning SIEM to help analyze seemingly disconnected events, and correlate them to recognize threats that would have otherwise been missed. In short, SIEM becomes the nerve center that collects information from individual security solutions, correlates them to gain insight about threats and then takes action to prevent an attack. We “bring all our security, all in one place”“Unified security is a strategy that correlates and analyzes information from disparate sources, enabling security products to cooperate, understand and jointly repel external and internal threats to data”Managed Security Services –Simple is FocusedTrustwave is one of the leading managed security providers in the world – with global 24x7x365 SOC coverage. Our MSS vision is to “help organizations run their security while they focus on running their business”. In addition to the foundational offerings like UTM, firewalls etc, that many MSS vendors provide, we also provide next generation and high-value managed offerings like Managed NAC, WAF, SIEM, FIM, Encryption etc that others do not. This enables Trustwave to not only provide one of the broadest MSS offerings, but also deliver a pathway for companies who need sophisticated security technologies, delivered as simple to consume managed offerings. Finally, Trustwave MSS benefits greatly from the real-time threat intelligence from our SpiderLabs division – based on the thousands of forensic investigations and penetration tests done in over 50 countries. This insight helps the Trustwave MSS team to build the right policies to protect our customers, and from threats they were not even aware of. We are honored to be recognized by Forrester as a leader in MSS in their Forrester Wave report.We’re changing the way managed security providers are viewed in the industry – previously it was just to reduce costs in capex and optimize resources. However, now, with Trustwave MSS, you’re not just getting affordable, simplified security but also better security.Compliance and Validation – Simple is ClearWe are the global leader in PCI compliance. This unique heritage also provides us a strong blueprint to help address other regulations such as HIPAA, Data Privacy, SOX, ISO2700x etc. Our products are tuned to not only secure your data but also provide reports that can prove compliance with regulations (for eg our SIEM has over 1400 reports) We have over half a million subscribers in our TrustKeeper portal using us for compliance. They use unique offerings like the “To Do list” which helps guide users on compliance issues and offer approaches for remediation. We also combine security and compliance solutions to make it easier for organizations – we have successfully helped franchises and other distributed organizations with bundled and packaged solutions to address compliance and security.Elevator pitch“Trustwave’s unified security approach provides organizations simple solutions to complex security and compliance challenges. Our best-in-class solutions, including SWG, WAF, NAC, Encryption and others, build on a layered strategy, offering protection from the web, applications, to networks, email and ultimately to the data itself. Uniquely, these solutions collaborate with our market-leading SIEM technology to correlate and analyze security events in real time, helping businesses quickly understand vulnerabilities and take action to repel both internal and external threats.  These unified solutions, enhanced with intelligence from Trustwave’s SpiderLabs, an advanced security and research team, can be deployed on-premise or delivered as managed services through our award-winning portal, TrustKeeper.”