The document discusses reducing attack surfaces in cloud environments. It notes that understanding your attack surface is critical for deploying proper security controls as attack surfaces differ between cloud and on-premises environments. It also states that web application attacks are now the leading cause of data breaches but less than 5% of security budgets are spent on application security. Common cloud misconfigurations are also discussed as a major risk factor.
This document discusses security in the cloud and recommends best practices. It notes that while AWS provides many security tools, customers are still responsible for 95% of security failures due to human error. It then outlines various attack types like SQL injection and remote code execution that target web applications. The document recommends leveraging machine learning and multiple detection techniques to identify multi-stage attacks. It emphasizes the need to secure the entire attack surface, including on-premises environments, and highlights services like Alert Logic that provide 24/7 monitoring, analytics, and security experts to help detect and respond to threats.
Radware provides a hybrid web application protection solution including an on-premise WAF appliance and cloud-based WAF service. The solution offers complete coverage of the OWASP Top 10 vulnerabilities through negative and positive security models. Radware's WAF requires minimal manual configuration and provides automatic policy generation for fast time to protection against both known and unknown attacks. The cloud-based WAF service provides always-on DDoS and behavioral protection along with a fully managed web application security solution.
This document discusses security considerations for cloud computing versus on-premise security. It notes that while many think cloud security is managed similarly to on-premise, obtaining access to one node could provide access to the entire infrastructure. It then lists various security standards and guidelines for cloud security. Potential attack vectors like outdated software, weak configurations, and vulnerabilities in cloud applications are covered. The challenges of incident response and forensics in large cloud infrastructures are also addressed. Recommendations include conducting security assessments, access control, logging, multi-factor authentication, and employee education.
Web application firewalls (WAFs) examine traffic beyond IP and TCP headers to perform deep packet inspection and detect known application vulnerabilities without requiring code modifications. A typical WAF architecture filters network traffic and monitors sessions. WAFs can stop attacks before reaching web servers by filtering at the application layer. They provide compensating controls to protect faulty code and allow resources to focus elsewhere by securing applications at the network level. WAFs are useful for custom code without developers, vendor code with limited auditing, and legacy systems, particularly for government, healthcare, retail, and manufacturing.
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systemscentralohioissa
This document discusses the insecurity of physical access control systems (PACS). It begins by describing the typical components of a PACS, including access cards, readers, access control panels, and servers. It then explains that while physical and cyber security are converging, the physical security industry lacks the security maturity and culture of IT. Many PACS deployments are insecure due to vendor features lacking testing, heavy reliance on IT without understanding, and being deployed and forgotten. The document outlines various attack surfaces and exploits against access cards, readers, control panels and servers. It concludes by providing an example of how these attacks could be combined to take over an entire PACS.
This example laden talk will show how common tools available in today's enterprise environments can be harnessed to enhance and transform an appsec program. This talk will have example attacks and simple config changes that could make all the difference. Devs, infrastructure sec, ciso, come one come all.
Security Implications of the Cloud - CSS Dallas AzureAlert Logic
The document summarizes the security implications of cloud computing. It notes that web application attacks are now the number one source of data breaches, but less than 5% of security budgets are spent on application security. It discusses how risks are moving up the application stack as vulnerabilities can be introduced through code changes and dependencies. Defending web applications and workloads in the cloud is complex due to a wide range of attacks at every layer of the stack and a shortage of security expertise. It then provides an example of a data exfiltration attack against a retail company where an attacker exploited known PHP flaws to access critical systems and steal data over 4 months without detection.
The document discusses reducing attack surfaces in cloud environments. It notes that understanding your attack surface is critical for deploying proper security controls as attack surfaces differ between cloud and on-premises environments. It also states that web application attacks are now the leading cause of data breaches but less than 5% of security budgets are spent on application security. Common cloud misconfigurations are also discussed as a major risk factor.
This document discusses security in the cloud and recommends best practices. It notes that while AWS provides many security tools, customers are still responsible for 95% of security failures due to human error. It then outlines various attack types like SQL injection and remote code execution that target web applications. The document recommends leveraging machine learning and multiple detection techniques to identify multi-stage attacks. It emphasizes the need to secure the entire attack surface, including on-premises environments, and highlights services like Alert Logic that provide 24/7 monitoring, analytics, and security experts to help detect and respond to threats.
Radware provides a hybrid web application protection solution including an on-premise WAF appliance and cloud-based WAF service. The solution offers complete coverage of the OWASP Top 10 vulnerabilities through negative and positive security models. Radware's WAF requires minimal manual configuration and provides automatic policy generation for fast time to protection against both known and unknown attacks. The cloud-based WAF service provides always-on DDoS and behavioral protection along with a fully managed web application security solution.
This document discusses security considerations for cloud computing versus on-premise security. It notes that while many think cloud security is managed similarly to on-premise, obtaining access to one node could provide access to the entire infrastructure. It then lists various security standards and guidelines for cloud security. Potential attack vectors like outdated software, weak configurations, and vulnerabilities in cloud applications are covered. The challenges of incident response and forensics in large cloud infrastructures are also addressed. Recommendations include conducting security assessments, access control, logging, multi-factor authentication, and employee education.
Web application firewalls (WAFs) examine traffic beyond IP and TCP headers to perform deep packet inspection and detect known application vulnerabilities without requiring code modifications. A typical WAF architecture filters network traffic and monitors sessions. WAFs can stop attacks before reaching web servers by filtering at the application layer. They provide compensating controls to protect faulty code and allow resources to focus elsewhere by securing applications at the network level. WAFs are useful for custom code without developers, vendor code with limited auditing, and legacy systems, particularly for government, healthcare, retail, and manufacturing.
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systemscentralohioissa
This document discusses the insecurity of physical access control systems (PACS). It begins by describing the typical components of a PACS, including access cards, readers, access control panels, and servers. It then explains that while physical and cyber security are converging, the physical security industry lacks the security maturity and culture of IT. Many PACS deployments are insecure due to vendor features lacking testing, heavy reliance on IT without understanding, and being deployed and forgotten. The document outlines various attack surfaces and exploits against access cards, readers, control panels and servers. It concludes by providing an example of how these attacks could be combined to take over an entire PACS.
This example laden talk will show how common tools available in today's enterprise environments can be harnessed to enhance and transform an appsec program. This talk will have example attacks and simple config changes that could make all the difference. Devs, infrastructure sec, ciso, come one come all.
Security Implications of the Cloud - CSS Dallas AzureAlert Logic
The document summarizes the security implications of cloud computing. It notes that web application attacks are now the number one source of data breaches, but less than 5% of security budgets are spent on application security. It discusses how risks are moving up the application stack as vulnerabilities can be introduced through code changes and dependencies. Defending web applications and workloads in the cloud is complex due to a wide range of attacks at every layer of the stack and a shortage of security expertise. It then provides an example of a data exfiltration attack against a retail company where an attacker exploited known PHP flaws to access critical systems and steal data over 4 months without detection.
Did you lock the door before leaving your house this morning? If you did, you threat modeled without even realizing it. Threat modeling is identifying potential threats (house robbery) and implementing measures to mitigate the risk (locking your door).
Protecting valuable assets, no matter if personal assets or business-related assets such as the software you are developing, threat modeling should become an instinctual and necessary part of your process.
Our talk highlights how nearly 50% of security flaws can be mitigated through threat modeling. We help you prevent and mitigate risks by utilizing a reliable and hard-hitting analysis technique that can be applied to individual applications or across an entire portfolio. We show you how to effectively apply these techniques at the start of the design phase and throughout every phase of the development lifecycle so you can maximize the ROI of your security efforts.
Topics covered include:
• Threat Modeling 101
• The propagating effect of poor design
• Tabletop exercise – a world with and without threat modeling
• Best practices and metrics for every stakeholder
This document discusses security challenges in the cloud and Alert Logic's approach to addressing them. It begins by outlining various security services needed in the cloud like monitoring, scanning, and access management. It then describes a hypothetical attack scenario against a web application to illustrate how an attacker may progress from reconnaissance to gaining a persistent foothold. It evaluates what security tools would provide visibility into each stage of the attack. The document concludes by describing Alert Logic's integrated security model which combines infrastructure and application threat visibility, security analytics, and human experts to detect threats across cloud, hosted, and on-premises environments.
BeyondCorp is Google's zero trust architecture that allows employees to work from untrusted networks without using a VPN. It automates good security practices by making access decisions based on who the user is, what device they're on, and other dynamic factors. This eliminates issues like shared credentials and unpatched devices accessing resources. The key aspects of BeyondCorp are removing network trust, using short-lived credentials, and centralizing authentication and authorization based on real-time trust evaluations of users and their devices. The presentation provides recommendations for organizations to implement their own zero trust architecture, such as taking an inventory, understanding use cases, defining policy frameworks, and starting with simple access controls before getting more granular.
This document discusses vulnerabilities found in mobile device management (MDM) solutions. It begins with background on the growing MDM market and how the research started from vulnerabilities discovered during a penetration test. The research found issues in how MDM solutions implemented the iOS MDM API, including lack of encryption, token issues, and flaws in signature validation. This could allow impersonation of users, denial of service attacks, intercepting sensitive data, and more. The document warns that MDM solutions can increase security risks if not implemented carefully, and that vendors and users must prioritize security practices like penetration testing, secure development, and monitoring.
This document discusses strategies for protecting against web application attacks. It begins by outlining common attack vectors like exploiting vulnerabilities in content management systems and SQL injection. It then describes hacker reconnaissance methods such as crawling target websites, mass vulnerability scanning, using open forums, and the dark web. The document proceeds to explain how attacks can escalate privileges and maintain access. Finally, it provides recommendations for remediation strategies like securing code, implementing access management policies, adopting patch management, understanding service provider security models, implementing monitoring and staying informed of latest vulnerabilities.
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
http://www.ddifrontline.com
Digital Defense Inc (DDI) and Veracode present the "Crafting Super-Powered Risk Assessments" webinar and slides. The presentation covers security assessments, application security, and how to manage risk.
Stop Attacks and Mitigate Risk with Application and Device ControlSymantec
Application and device control features in Symantec Endpoint Protection allow organizations to restrict applications and devices used on endpoints, mitigate risks, and prevent attacks. These features whitelist approved applications and devices, blacklist those known to be bad, and block unauthorized access. They also prevent data loss through external storage devices and help enforce corporate security policies and compliance standards.
Secure by design and secure software developmentBill Ross
This secure lifecycle management process (SLCMP said slickum) defines the basic and most realistic way to develop secure software. While the briefing is a bit dated slide 34 is still a very relevant process. What is below the green line is the security dynamic process that happens supporting the basic development process seen above the green line. SLCMP is supported by building a complementary and excellent information risk framework system security plan or IRASSP. SLCMP is operationally deployed.
The document summarizes key points about web application security vulnerabilities and how to address them. It discusses common vulnerabilities like parameter manipulation, cross-site scripting, and SQL injection that occur due to improper validation of user input. It emphasizes the importance of validating all user input on the server-side to prevent attacks, and not storing sensitive values in cookies or hidden form fields that can be manipulated by attackers.
The document discusses security challenges in cloud computing and provides an overview of Alert Logic's security solutions. It begins by noting that security is a challenge that has changed with the cloud model introducing shared responsibility. It then provides examples of security services Alert Logic offers across various areas like access management, patching, monitoring, and network threat detection. The document uses an example attack scenario to illustrate how an attacker may perform reconnaissance, exploit vulnerabilities like path traversal and remote file inclusion, extract data through SQL injection, establish command and control through a webshell, and the visibility different parts of Alert Logic's solution would provide at each stage. It argues integrated solutions covering assets, vulnerabilities, network, and application layers are needed for full threat visibility and coverage.
The Offensive Cyber Security Certification will upgrade your skills to become a pentester, exploit developer. You will learn multiple offensive approaches to access infrastructure, environment, and information, performing risk analysis and mitigation, compliance, and much more with this program.
u10a1 Network and Security Architecture _FINAL - Kent HaubeinKent Haubein
The document discusses a proposed network and security architecture for Happy Health Systems, a healthcare organization. It analyzes the existing business silos architecture and recommends moving to a standardized technology architecture. This will allow for implementing a common EMR system, applications like Exchange email, and reducing different systems/platforms. A CIO role is needed to oversee the change and ensure IT supports business objectives like future growth and cost savings. The proposal outlines project objectives, scope, approach and user/application requirements to implement the new architecture.
we45 - Web Application Security Testing Case Studywe45
we45 performed a comprehensive security test of a large messaging gateway's platform over 5 years. They identified deep injection flaws and unauthorized access to web services. we45 presented detailed findings, which were remediated. The client now has an enhanced security program with we45 as a long-term security partner.
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...BeyondTrust
In this Slideshare from the webinar of CQURE Academy Security Expert, Krystian Zieja, you will gain insights into:
- How sudo really works and what information we need to know before using it
- Working with sudo logging and using sudo in combination with a central logging server as a security control
- Session recording and replaying to analyze user behavior
- The enterprise-wide sudoers file management
-How to preventing common pitfalls of sudo configuration
- LDAP Integration
- Best practices for sudo usage
You can watch the full, on-demand webinar here: https://www.beyondtrust.com/resources/webinar/sudo-mode-part-2-privilege-mistakes-dismantle-entire-enterprise/
An overview of the Secure Software Development Life Cycle (SSDLC) process, along with some simple tools and techniques that can help application hardening and data protection.
BeyondCorp - Google Security for Everyone ElseIvan Dwyer
Presentation given at the Rocky Mountain InfoSec Conference - May 10, 2017.
Gives an overview of Google's BeyondCorp project, why Zero Trust is the right framework to follow, and how to get started at your own company.
Learn more about BeyondCorp at: www.beyondcorp.com
Learn more about ScaleFT at: www.scaleft.com
Stories from the Security Operations CenterAlert Logic
The document summarizes stories from a security operations center, including examples of initial attacks on WordPress sites through XMLRPC vulnerabilities and subsequent SQL injection attacks. It discusses how web application attacks have become more prevalent as organizations increasingly rely on open source and web apps, and these attacks can enable large scale breaches if not detected early. The document also provides an overview of how Alert Logic detects threats through network monitoring, log collection and analysis, and web application firewalls.
Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...Qualys
Learn to effectively navigate the security risks, new regulations, and new technologies on your journey to a secure and compliant digital transformation with this Qualys webcast series.
In this webcast, Tim White, Director of Product Management at Qualys, explained how Qualys helps customers worldwide comply with the European Union General Data Protection Regulation (GDPR).
You will learn how Qualys’ security and compliance apps enable GDPR compliance by:
• Tracking and classifying the IT assets which contain EU customers’ personal data
• Providing ongoing protection of personal data across global IT environments and third parties
• Maintaining continuous visibility of your organization’s GDPR compliance state
Watch the on-demand recording: https://goo.gl/DkNq52
This document discusses security vulnerabilities and threats facing media web applications. It notes that media organizations are prime targets due to their always-on services, reputation, and large public footprint. Threat actors like hacktivists and nation states use cyber attacks to disrupt service and influence public opinion. Common attack types for media include DDoS, defacement, and advanced persistent threats. The document provides statistics on data breaches in early 2016 and surveys of vulnerabilities found across media websites. It outlines challenges in protecting journalists, content, and systems. Fullstack security is recommended along with continuous assessment to match changing environments.
Digital Personnel uses social media and online advertising to recruit candidates globally for clients like Electronic Arts. They have a database of 100,000 candidates and use platforms like LinkedIn, Twitter, Facebook and job boards to generate interest and find qualified candidates. Digital Personnel would assign an Account Manager and Recruiter to work with EA to source, qualify, and place candidates by leveraging their digital expertise and recruitment process.
Did you lock the door before leaving your house this morning? If you did, you threat modeled without even realizing it. Threat modeling is identifying potential threats (house robbery) and implementing measures to mitigate the risk (locking your door).
Protecting valuable assets, no matter if personal assets or business-related assets such as the software you are developing, threat modeling should become an instinctual and necessary part of your process.
Our talk highlights how nearly 50% of security flaws can be mitigated through threat modeling. We help you prevent and mitigate risks by utilizing a reliable and hard-hitting analysis technique that can be applied to individual applications or across an entire portfolio. We show you how to effectively apply these techniques at the start of the design phase and throughout every phase of the development lifecycle so you can maximize the ROI of your security efforts.
Topics covered include:
• Threat Modeling 101
• The propagating effect of poor design
• Tabletop exercise – a world with and without threat modeling
• Best practices and metrics for every stakeholder
This document discusses security challenges in the cloud and Alert Logic's approach to addressing them. It begins by outlining various security services needed in the cloud like monitoring, scanning, and access management. It then describes a hypothetical attack scenario against a web application to illustrate how an attacker may progress from reconnaissance to gaining a persistent foothold. It evaluates what security tools would provide visibility into each stage of the attack. The document concludes by describing Alert Logic's integrated security model which combines infrastructure and application threat visibility, security analytics, and human experts to detect threats across cloud, hosted, and on-premises environments.
BeyondCorp is Google's zero trust architecture that allows employees to work from untrusted networks without using a VPN. It automates good security practices by making access decisions based on who the user is, what device they're on, and other dynamic factors. This eliminates issues like shared credentials and unpatched devices accessing resources. The key aspects of BeyondCorp are removing network trust, using short-lived credentials, and centralizing authentication and authorization based on real-time trust evaluations of users and their devices. The presentation provides recommendations for organizations to implement their own zero trust architecture, such as taking an inventory, understanding use cases, defining policy frameworks, and starting with simple access controls before getting more granular.
This document discusses vulnerabilities found in mobile device management (MDM) solutions. It begins with background on the growing MDM market and how the research started from vulnerabilities discovered during a penetration test. The research found issues in how MDM solutions implemented the iOS MDM API, including lack of encryption, token issues, and flaws in signature validation. This could allow impersonation of users, denial of service attacks, intercepting sensitive data, and more. The document warns that MDM solutions can increase security risks if not implemented carefully, and that vendors and users must prioritize security practices like penetration testing, secure development, and monitoring.
This document discusses strategies for protecting against web application attacks. It begins by outlining common attack vectors like exploiting vulnerabilities in content management systems and SQL injection. It then describes hacker reconnaissance methods such as crawling target websites, mass vulnerability scanning, using open forums, and the dark web. The document proceeds to explain how attacks can escalate privileges and maintain access. Finally, it provides recommendations for remediation strategies like securing code, implementing access management policies, adopting patch management, understanding service provider security models, implementing monitoring and staying informed of latest vulnerabilities.
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
http://www.ddifrontline.com
Digital Defense Inc (DDI) and Veracode present the "Crafting Super-Powered Risk Assessments" webinar and slides. The presentation covers security assessments, application security, and how to manage risk.
Stop Attacks and Mitigate Risk with Application and Device ControlSymantec
Application and device control features in Symantec Endpoint Protection allow organizations to restrict applications and devices used on endpoints, mitigate risks, and prevent attacks. These features whitelist approved applications and devices, blacklist those known to be bad, and block unauthorized access. They also prevent data loss through external storage devices and help enforce corporate security policies and compliance standards.
Secure by design and secure software developmentBill Ross
This secure lifecycle management process (SLCMP said slickum) defines the basic and most realistic way to develop secure software. While the briefing is a bit dated slide 34 is still a very relevant process. What is below the green line is the security dynamic process that happens supporting the basic development process seen above the green line. SLCMP is supported by building a complementary and excellent information risk framework system security plan or IRASSP. SLCMP is operationally deployed.
The document summarizes key points about web application security vulnerabilities and how to address them. It discusses common vulnerabilities like parameter manipulation, cross-site scripting, and SQL injection that occur due to improper validation of user input. It emphasizes the importance of validating all user input on the server-side to prevent attacks, and not storing sensitive values in cookies or hidden form fields that can be manipulated by attackers.
The document discusses security challenges in cloud computing and provides an overview of Alert Logic's security solutions. It begins by noting that security is a challenge that has changed with the cloud model introducing shared responsibility. It then provides examples of security services Alert Logic offers across various areas like access management, patching, monitoring, and network threat detection. The document uses an example attack scenario to illustrate how an attacker may perform reconnaissance, exploit vulnerabilities like path traversal and remote file inclusion, extract data through SQL injection, establish command and control through a webshell, and the visibility different parts of Alert Logic's solution would provide at each stage. It argues integrated solutions covering assets, vulnerabilities, network, and application layers are needed for full threat visibility and coverage.
The Offensive Cyber Security Certification will upgrade your skills to become a pentester, exploit developer. You will learn multiple offensive approaches to access infrastructure, environment, and information, performing risk analysis and mitigation, compliance, and much more with this program.
u10a1 Network and Security Architecture _FINAL - Kent HaubeinKent Haubein
The document discusses a proposed network and security architecture for Happy Health Systems, a healthcare organization. It analyzes the existing business silos architecture and recommends moving to a standardized technology architecture. This will allow for implementing a common EMR system, applications like Exchange email, and reducing different systems/platforms. A CIO role is needed to oversee the change and ensure IT supports business objectives like future growth and cost savings. The proposal outlines project objectives, scope, approach and user/application requirements to implement the new architecture.
we45 - Web Application Security Testing Case Studywe45
we45 performed a comprehensive security test of a large messaging gateway's platform over 5 years. They identified deep injection flaws and unauthorized access to web services. we45 presented detailed findings, which were remediated. The client now has an enhanced security program with we45 as a long-term security partner.
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...BeyondTrust
In this Slideshare from the webinar of CQURE Academy Security Expert, Krystian Zieja, you will gain insights into:
- How sudo really works and what information we need to know before using it
- Working with sudo logging and using sudo in combination with a central logging server as a security control
- Session recording and replaying to analyze user behavior
- The enterprise-wide sudoers file management
-How to preventing common pitfalls of sudo configuration
- LDAP Integration
- Best practices for sudo usage
You can watch the full, on-demand webinar here: https://www.beyondtrust.com/resources/webinar/sudo-mode-part-2-privilege-mistakes-dismantle-entire-enterprise/
An overview of the Secure Software Development Life Cycle (SSDLC) process, along with some simple tools and techniques that can help application hardening and data protection.
BeyondCorp - Google Security for Everyone ElseIvan Dwyer
Presentation given at the Rocky Mountain InfoSec Conference - May 10, 2017.
Gives an overview of Google's BeyondCorp project, why Zero Trust is the right framework to follow, and how to get started at your own company.
Learn more about BeyondCorp at: www.beyondcorp.com
Learn more about ScaleFT at: www.scaleft.com
Stories from the Security Operations CenterAlert Logic
The document summarizes stories from a security operations center, including examples of initial attacks on WordPress sites through XMLRPC vulnerabilities and subsequent SQL injection attacks. It discusses how web application attacks have become more prevalent as organizations increasingly rely on open source and web apps, and these attacks can enable large scale breaches if not detected early. The document also provides an overview of how Alert Logic detects threats through network monitoring, log collection and analysis, and web application firewalls.
Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...Qualys
Learn to effectively navigate the security risks, new regulations, and new technologies on your journey to a secure and compliant digital transformation with this Qualys webcast series.
In this webcast, Tim White, Director of Product Management at Qualys, explained how Qualys helps customers worldwide comply with the European Union General Data Protection Regulation (GDPR).
You will learn how Qualys’ security and compliance apps enable GDPR compliance by:
• Tracking and classifying the IT assets which contain EU customers’ personal data
• Providing ongoing protection of personal data across global IT environments and third parties
• Maintaining continuous visibility of your organization’s GDPR compliance state
Watch the on-demand recording: https://goo.gl/DkNq52
This document discusses security vulnerabilities and threats facing media web applications. It notes that media organizations are prime targets due to their always-on services, reputation, and large public footprint. Threat actors like hacktivists and nation states use cyber attacks to disrupt service and influence public opinion. Common attack types for media include DDoS, defacement, and advanced persistent threats. The document provides statistics on data breaches in early 2016 and surveys of vulnerabilities found across media websites. It outlines challenges in protecting journalists, content, and systems. Fullstack security is recommended along with continuous assessment to match changing environments.
Digital Personnel uses social media and online advertising to recruit candidates globally for clients like Electronic Arts. They have a database of 100,000 candidates and use platforms like LinkedIn, Twitter, Facebook and job boards to generate interest and find qualified candidates. Digital Personnel would assign an Account Manager and Recruiter to work with EA to source, qualify, and place candidates by leveraging their digital expertise and recruitment process.
This document provides guidance for writing feature stories, including considering the audience, developing a story idea and research plan, conducting research through interviews and other methods, and determining elements like point of view and story structure. Key aspects of writing a feature story are planning the approach through researching the who, what, when, where, why and how; knowing when enough research has been done; and crafting the story using techniques like showing rather than telling and building tension through an effective story arc.
This document discusses SQL injection and ways to prevent it. SQL injection occurs when malicious SQL statements are inserted into an insufficiently validated string that is later executed as a database command. It can allow attackers to read or modify data in the database. The document outlines different types of SQL injection attacks and provides examples of how input validation and prepared statements can prevent injection. It also discusses command injection and file path traversal attacks.
DAWN: November event: Supersize your digital careerkimknapman
The document summarizes a networking event organized by DAWN (Digital Advertising Women's Network) in London on November 16, 2011. It includes an agenda for the event with introductions, a 30-minute panel discussion, an open Q&A, and drinks. It also provides brief biographies of two panelists - Tracey De Groose of Carat and Holly Maguire of Glue Isobar. The document encourages feedback and looks ahead to more DAWN events in 2012.
This document discusses HTML5, WebSockets, and security considerations for these technologies. It provides an overview of WebSockets including how they work and how to implement them securely. It also discusses potential security issues with HTML5 features like forms, iframes, and local storage and recommends approaches to mitigate risks like input validation, sandboxing iframes, and avoiding sensitive data storage.
HTTP is the protocol used to transmit data over the web. It is stateless and requires sessions to track state. Requests and responses use headers to transmit metadata. Sensitive data should only be sent over HTTPS and only through POST, PUT, PATCH requests never in the URL query string. Response headers like HSTS, CSP, and CORS help secure applications by controlling caching, framing, and cross-origin requests.
Project management involves planning, organizing, and managing resources to complete projects on time, within budget, and according to specifications. Common project management techniques include work breakdown structures, Gantt charts, critical path method, program evaluation and review technique, and critical chain project management. Various approaches have been developed over time, including more traditional sequential models as well as more adaptive agile and iterative frameworks.
XSS (cross-site scripting) is a common web vulnerability that allows attackers to inject client-side scripts. The document discusses various types of XSS attacks and defenses against them. It covers:
1) Reflected/transient XSS occurs when untrusted data in URL parameters is immediately displayed without sanitization. Stored/persistent XSS occurs when untrusted data is stored and later displayed. DOM-based XSS manipulates the DOM.
2) Defenses include HTML/URL encoding untrusted data before displaying it, validating all inputs, and using context-specific encoding for HTML elements, attributes, JavaScript, and URLs.
3) The OWASP Java Encoder Project and Microsoft Anti
The Changing Nature of the Customer Relationshipmichellereape
This paper explores considerations on how to harness the power of the customer relationship on the front lines to power our clients’ competitive edge through to their bottom line
Vulnerability management and threat detection by the numbersEoin Keary
1. There are many approaches to application security testing like DAST, SAST, IAST, but an attacker only needs to find one vulnerability.
2. Both vulnerabilities in code and inaccuracies in security assessments pose potential risks.
3. Most application code uses open source frameworks, but many organizations do not monitor for vulnerabilities in these components or have open source policies.
4. While automation can help scale security assessments, factors like context, accuracy, and technical constraints make fully scaling security challenging.
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Amazon Web Services
While security is a top concern in every organization these days, it often gets a bad rap. In many minds, security has the reputation of the bothersome villain who attempts to hinder performance or restrain agility. In this session we will outline three strategies to protect your valuable workloads, without falling into traditional security traps. We will walk through three stories of EC2 security superheroes who saved the day by overcoming compliance and design challenges, using a (not so) secret arsenal of AWS and Trend Micro security tools.
Key takeaways from this session include how to:
- Design a workload-centric security architecture
- Improve visibility of AWS-only or hybrid environments
- Stop patching live instances but still prevent exploits
Speaker: Sasha Pavlovic, Director, Cloud & Datacentre Security, Asia Pacific, Trend Micro
This document summarizes a presentation given by Chris Harwood of Healthdirect Australia about their migration to AWS and use of Trend Micro Deep Security. The key points are:
1) Healthdirect Australia provides various health services and needed to migrate to the cloud to improve scalability, security, and agility.
2) Migrating to AWS helped Healthdirect address issues like limited capacity, high costs, and inability to respond quickly with their traditional on-premises environment.
3) Security was a major concern for Healthdirect due to the sensitive healthcare data they handle. Trend Micro Deep Security provided host-based security that fit their needs on AWS.
4) Deep Security's agent-
Organizations are increasingly looking to their Internal Auditors to provide independent assurance about cyber risks and the organization's ability to defend against cyber attacks. With information technology becoming an inherent critical success factor for every business and the emerging cyber threat landscape, every internal auditor needs to equip themselves on IT audit essentials and cyber issues.
In part 12 of our Cyber Security Series you will learn about the current cyber risks and attack methods from Richard Cascarino, including:
Where are we now and Where are we going?
Current Cyberrisks
• Data Breach and Cloud Misconfigurations
• Insecure Application User Interface (API)
• The growing impact of AI and ML
• Malware Attack
• Single factor passwords
• Insider Threat
• Shadow IT Systems
• Crime, espionage and sabotage by rogue nation-states
• IoT
• CCPA and GDPR
• Cyber attacks on utilities and public infrastructure
• Shift in attack vectors
3 Secrets to Becoming a Cloud Security Superhero - Session Sponsored by Trend...Amazon Web Services
This document discusses Healthdirect Australia's journey to moving their infrastructure to Amazon Web Services (AWS) in order to improve security, scalability, availability, and reduce costs. It outlines the risks of their traditional on-premises environment and drivers for moving to AWS. It then describes the security challenges they faced and how Trend Micro's Deep Security product helped solve them by providing host-based firewalling, intrusion prevention, antivirus, log inspection and other capabilities in a single management console, while fitting with their continuous delivery practices. Deep Security's usage-based licensing also aligned well with their autoscaling use of AWS. Overall, Deep Security helped Healthdirect achieve security compliance and improved security when moving to AWS.
This document provides an overview of web application security. It discusses why security is important for web applications and outlines common security threats. It then covers topics like designing secure applications, building them securely, and assessing security. Design considerations include input validation, authentication, authorization, and session management. Building securely involves role-based access control, exception handling, and cryptography. Assessment involves testing for vulnerabilities like injection flaws and broken authentication.
The document discusses information security solutions provided by Taarak India Private Limited. It covers their team size and certifications, solutions addressing confidentiality, integrity and availability, and agenda items around risk to information, information security management, technology challenges of bandwidth availability/optimization, data security, log management and system management.
David Cass discusses the role of security and how best practices can be used to accelerate cloud adoption and success.
Learn more by visiting our Bluemix Hybrid page: http://ibm.co/1PKN23h
Speaker: David Cass (Vice President, Cloud and SaaS CISO)
Importance of Identity Management in Security - Microsoft Tech Tour @TowsonAdam Levithan
The document discusses identity and content security for cloud services like Office 365. It describes the evolving threat landscape where data breaches are increasingly common. It then outlines various approaches Microsoft takes to secure user identity, access to applications and content, device management, and auditing and monitoring in its cloud services. These include multi-factor authentication, conditional access policies, encryption of data in transit and at rest, activity monitoring and alerts, and mobile device management capabilities. The document aims to help organizations understand how to translate on-premises security practices to the cloud to properly secure user identity and regulate access to content.
This document discusses how to produce more secure web applications. It identifies that the core security problem facing web applications is handling untrusted user input in a safe manner to prevent attacks like XSS and CSRF. It recommends following a secure development lifecycle that includes requirements gathering, design, development, testing, and change control phases. During these phases, activities like threat modeling, secure coding practices, code reviews, and security testing can help balance functionality and security. Training, coding standards, and resources from OWASP can also help developers build more secure applications.
You automated your deployment, elasticized your workloads, and dynamically provisioned your fleet. What do you do next?
Tackle automating your security needs using the latest capabilities in the cloud! There’s no single path to building an automated and continuous security architecture that works for every organization, but certain key principles and techniques are used by the early adopter cloud elite that give them distinct advantages. It's time to re-think your organization’s processes and behaviors to demonstrate the latest efficiencies in your security operations. In this webinar, learn how Intuit implements cloud security automation with Evident.io and other innovative cloud technologies.
Join us to learn:
• How security will be integrated into the overall processes of development and deployment.
• How to tie security acceptance tests, a subset of your key security controls, right into the end of your functional testing process to promote builds with confidence at greater speed.
• How to be successful with API-enabled, continuous security tools in the cloud.
• How to operationalize security alarms, enabling world-class incident response and remediation capabilities.
This document discusses SQL Server security best practices. It begins by noting that data breaches are common and costly for businesses. The presenter then covers security principles of confidentiality, integrity and availability. Various attack methods are described, demonstrating how quickly an unsecured system can be compromised. The presentation recommends implementing security policies across physical, network, host, application and database layers. Specific issues like SQL injection and authentication/authorization approaches are discussed. New SQL Server 2016 security features such as Always Encrypted and row-level security are also mentioned. Resources for further information are provided.
The document discusses security challenges in a smarter, more interconnected world and IBM's smart security solutions framework and portfolio to address these challenges. The framework focuses on governance, risk management, compliance and five security areas: physical infrastructure, people and identity, data and information, applications and processes, and networks, servers, and endpoints. IBM's security solutions can help customers meet challenges in each area to create a strong security foundation.
The document provides an overview of web application security. It discusses what web application security entails, which is achieving an acceptable level of security for a web application solution. It explains why web application security is important given increased reliance on web apps and their global accessibility. It outlines some common security risks like browser hijacking, cookie theft, and denial of service attacks. It also discusses how security problems should be addressed earlier in the development lifecycle to reduce costs. The document then delves into specific vulnerabilities like hidden field manipulation, cookie poisoning, buffer overflows, and cross-site scripting attacks. Examples are provided to illustrate how attackers can exploit these vulnerabilities.
Application Security - Your Success Depends on itWSO2
Traditional information security mainly revolves around network and operating system (OS) level protection. Regardless of the level of security guarding those aspects, the system can be penetrated and the entire deployment can be brought down if your application's security isn't taken into serious consideration. Information security should ideally start at the application level, before network and OS level security is ensured. To achieve this, security needs to be integrated into the application at the software development phase.
In this session, Dulanja will discuss the following:
The importance of application security - why network and OS security is insufficient.
Challenges in securing your application.
Making security part of the development lifecycle.
In this session you will learn why you need to shift from vulnerability detection only to a holistic web application defense strategy. We’ll outline the top three ways to improve your web app security and share how others have developed an integrated, comprehensive strategy that reduces costs and improves the balance between security and app functionality.
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Veracode
This infographic summarizes best practices for building secure web applications. It outlines the top 10 application security risks according to OWASP, including injection, XSS, and insecure cryptographic storage. It provides a checklist of security measures for developers, such as input validation, access controls, and encryption. Specific examples are given for preventing XSS and SQL injection flaws. The infographic stresses that security is a process that requires thorough testing of all application components and controls.
CloudPassage Best Practices for Automatic Security ScalingAmazon Web Services
Organizations that are transitioning from a traditional data center to an on-demand IT environment, such as AWS, are quickly finding that automating and scaling legacy security services for comprehensive workload security can be challenging. In light of these challenges, it is necessary to deploy a security solution that employs the same versatility and elasticity as the cloud workloads it is meant to protect. CloudPassage® Halo® provides virtually instant visibility and continuous protection for servers in any combination of data centers, private clouds and public clouds like AWS. Join Xero and CloudPassage to learn about best practices for migrating your security workloads to the cloud.
Join us to learn:
- Best practices for maintaining workload security
- How you can align cloud security deployment methods with on-premises deployment methods
- Key considerations for architecting your infrastructure to scale quickly and securely
Who should attend: CTOs, CIOs, CISOs, Directors and Managers of Security, IT Administers, IT Architects and IT Security Engineers
This document discusses automating security operations on AWS. It begins by noting the large costs of data breaches and intellectual property theft for businesses. It then discusses how AWS can provide more security than an on-premises environment through features like automated logging and monitoring, simplified access controls, and encryption. The document emphasizes that security is a shared responsibility between AWS and the customer, with AWS securing the underlying cloud infrastructure and customers securing their applications and data. It provides examples of AWS security certifications and programs. Finally, it discusses how security automation is key to keeping up with the scale of cloud infrastructure and software delivery.
This document discusses the need for adopting an industry standard network security architecture model to improve security without unnecessary complexity. It outlines the evolution of typical network architectures from closed to increasingly open and exposed. This has introduced new threats that cannot be addressed by isolated security solutions alone. The document advocates aligning security controls according to well-defined architectural principles and business needs, and properly managing the integrated system as a whole.
The 2023 Vulnerability Stats report as delivered to the IISF.
Covering: PTaaS, Pentesting, Vulnerabilty Managment, EPSS, CISA KEV, Risk, Attack Surface Management. Its based on delivering thousands of PTaaS and RBVM assessments throughout 2022. Why tools and traditional pentesting has failed.
1. Edgescan uses automated validation and analytics to determine if vulnerabilities discovered during scans are true or false positives, automatically publishing issues with over 90% confidence.
2. Vulnerabilities with lower confidence scores or that are high severity undergo expert validation by seasoned penetration testers to further validate findings.
3. This two-step validation process helps ensure Edgescan only delivers accurate vulnerability intelligence to clients.
Does a Hybrid model for vulnerability Management Make Sense.pdfEoin Keary
Combining automation for scale and human expertise for depth. Leveraging thousands of datapoints and cyber analytics to verify security vulnerabilities. Why automation alone does not work because our enemies are humans. Automation does not have the skills to exploit business logic risks. Context is queen when it comes to risk bases priortization.
Vulnerability stats, full stack cyber issues.
Vulnerability management, threat analysis and attack surface management. Exposures, MTTR and cyber risk management.
Bested in the assessment of thousands of systems globally on a continuous basis.
A deck discussing the the findings from the Edgescan 2021 Vulnerability Stats Report. A full stack view of the vulnerabilities discovered in 2020 based on thousands of assessments. Host, network and application layer security metrics -Full stack
This document discusses the failure of traditional vulnerability management and proposes a more effective approach. It argues that vulnerability management needs to be continuous, accurate, integrated across the full technology stack, and augmented with human expertise. Traditional approaches relying solely on automated scans are not keeping pace with rapid technology changes and the sophisticated techniques used by attackers. An effective vulnerability management program requires continuous visibility, automated patching of known issues, secure development practices, and vigilance in detecting new vulnerabilities through a combination of tools and human review.
The 2018 Vulnerability Stats report covering off a fullstack review of cyber security across 1000's of web applictions, end-points and cloud based systems globally.
Full stack vulnerability management at scaleEoin Keary
- Full-stack vulnerability management is needed to address security risks across applications, servers, databases, services, and operating systems. Automation is key to assessing security at scale across the full technology stack.
- While automation can detect many technical vulnerabilities, it cannot assess logical vulnerabilities involving business logic, authorization, or compliance issues that require human judgment and context.
- Continuous vulnerability management is needed to keep pace with today's agile development cycles and constantly changing environments, focusing on changes since the last assessment to prioritize remediation.
Vulnerability Intelligence - Standing Still in a world full of changeEoin Keary
The document discusses effective and scalable fullstack vulnerability management. It describes managing thousands of systems globally through continuous assessment and false-positive free vulnerability scanning of web applications, APIs, hosts, and full IT stacks. Recent major data breaches are listed, demonstrating the real threat of cybercrime. The majority of critical and high risks are found in web application layers. Attack vectors include malware, phishing, hacking, and nation state cyber espionage. An agile risk model is advocated to keep pace with frequent code changes and deployment of new systems and services. Integration with security tools like SIEM, firewalls, and bug trackers provides intelligence and visibility.
The document provides statistics and analysis from edgescan's 2018 vulnerability report. Some key findings include:
- 19% of vulnerabilities were in web applications and APIs, while 81% were in network infrastructure. Application layer vulnerabilities posed higher risks.
- Internal systems had higher rates of high/critical risks (24.9% for applications) than internet-facing systems.
- Common web application vulnerabilities included XSS, SQL injection, and vulnerable components. For infrastructure, TLS/SSL issues and SMB vulnerabilities were most prevalent.
- Unsupported Windows 2003 systems and vulnerabilities like EternalBlue accounted for a large portion of risks found.
Hide and seek - Attack Surface Management and continuous assessment.Eoin Keary
Attack surface management and visibility is key to maintaining a robust cyber security posture. Continuous assessment, accuracy and scale are key to enterprise security.
Discussion on how to deliver vulnerability management at scale.
Why Fullstack vulnerability management is important and silos of security are an issue. The pitfalls when delivering 1000's of assessments on a continuous basis. How edgescan delivers vulnerability intelligence.
Web security – everything we know is wrong cloud versionEoin Keary
This document summarizes a presentation on web security given by Eoin Keary. The key points made are:
1) Traditional penetration testing is not sufficient for continuous security and the arms race with attackers. Continuous monitoring and testing is needed.
2) Many vulnerabilities come from third party code and dependencies that are not adequately tested or managed.
3) It is difficult for organizations to manage vulnerabilities at scale across many applications without enterprise vulnerability management.
4) Too many reported vulnerabilities can overwhelm developers, so prioritization and explaining issues simply is important.
Why continuous assessment is required. How to keep pace with development and secure constant change. Vulnerability statistics across the fullstack. What are the most common security issues in the web application and host layer.
Talk in Switzerland at European Broadcasting Union cyber security event - Feb 2017.
Discussing some core aspects of secure application development, technical security controls and secure systems development lifecycle....
Input validation is important to prevent attacks. User input should never be trusted and should be validated using a whitelist approach at the earliest stage. Layers of defense like regular expression validation and bounds checking should be used. Input can be validated using known good, known bad, or exact match approaches against expected values or formats. Escaping input is not enough--invalid input should be rejected rather than processed.
Securing BGP: Operational Strategies and Best Practices for Network Defenders...APNIC
Md. Zobair Khan,
Network Analyst and Technical Trainer at APNIC, presented 'Securing BGP: Operational Strategies and Best Practices for Network Defenders' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
Integrating Physical and Cybersecurity to Lower Risks in Healthcare!Alec Kassir cozmozone
The contemporary hospital setting is witnessing a growing convergence between physical security and cybersecurity. Because of advancements in technology and the rise in cyberattacks, healthcare facilities face unique challenges.
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...APNIC
Adli Wahid, Senior Internet Security Specialist at APNIC, delivered a presentation titled 'Honeypots Unveiled: Proactive Defense Tactics for Cyber Security' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
2. Where are we going?
Web Security
and HTTP
Basics
What is Web Application Security?
HTTP GET/POST
HTTP Security Response Headers
Sensitive data in transit
stuff
More stuff
3. We Use Network Vulnerability
Scanners
Neglect the security of the software
on the network/web server
Today’s State: "Our Website Is Safe"
We Have Firewalls and
IPS in Place
Port 80 & 443 are open for the
right reasons
We Audit It Once a Quarter with
Pen Testers
Applications are constantly
changing
We Use SSL Encryption
Only protects data between site and
user not the web application itself
We Outsource
5. • A traditional end of cycle / Annual pentest only gives minimal
security…..
• There are too many variables and too little time to ensure
“real security”.
6. Two weeks of ethical
hacking
Ten man-years of
development
7. Make this more difficult: Lets change the application code once a month.
10. Application
Code
COTS (Commercial
off the shelf
Outsourced
development Sub-
Contractors
Bespoke
outsourced
development
Bespoke Internal
development
Third Party
API’s
Third Party
Components &
Systems
Degrees of trust
You may not let some of the people who have developed your code into your offices!!
More LESS
13. Doing things right != Doing the right things
“Not all bugs/vulnerabilities are equal”
Contextualize Risk
(is XSS /SQLi always High Risk?)
Do developers need to fix everything?
• Limited time
• Finite Resources
• Task Priority
• Pass internal audit?
White Noise
Where do we go now?
16. Application Vulnerabilities Overview
• Application security vulnerabilities can be roughly broken down into 4 categories.
• Application Infrastructure
• Application infrastructure misconfigured
• Data passed between browser and server not secured
• Application Controller/Server Tier not coded Securely
• Broken Authentication and Session Management
• Business object references (identifiers) not properly secured
• Failure to Restrict URLs Properly
• Unvalidated Redirects and Forwards
• Vulnerabilities at the Browser Level
• Unvalidated data becomes a script executed on the browser
• Logged in user's session is able to be forged
• Vulnerabilities at the Persistence Tier
• Database access not properly written to use SQL securely
• Data not stored in a cryptographically secure way
17. Developer Security?
Developers rarely get application security training in school
The protocols we use for web development are insecure
The languages we use for web development are insecure
The frameworks we use for web development are insecure
Developers rarely get prescriptive security requirements at work
Developers rarely get good assessment technology to verify if they are writing
secure code and applications
Recipe for Disaster!
18. Secure Application Design Principles
Practice least
privilege
Employ secure
defaults
Validate data from all
sources
Fail to a
secure mode
Prevent information leakage
Practice defense in depth
Secure the
weakest link
Escape/Encode
Applications should execute with the Least Privilege required to perform a job
Choose appropriate features for users and ensure that these features are
secure
Always assume that data from any source is malicious and validate it before
use
Design applications to fail to a secure state and never disclose confidential
data or provide elevated privledges
An unintentional revelation of information about the way an application works
Use multiple layers of security instead of a single mechanism
Secure your application to prevent it from being the
"weakest" link
Convert data that is used by parsers into non-executing context
19. Web application security risks
Blurring
traditional
boundaries
Organizations are exposing internal data and critical functionality to
the public Internet through web application deployments
Data
privacy
Weak security controls may be exploited by skilled attackers to
access sensitive information or perform unauthorized activities on
your organizations' systems
Impact of a
security breach
Loss of customer confidence and reputational damage via the
negative publicity associated with a security breach
20. Web Application Security
Host
Apps
Firewall
Host
Apps Database
Host
Web server App server DB server
Securing the application
Input validation Session mgmt Authentication
Authorization Config mgmt Error handling
Secure storage Auditing/logging XSS Defense
Securing the network
Router
Firewall
Switch
Securing the host
Patches/updates Accounts Ports
Services Files/directories Registry
Protocols Shares Auditing/logging
Firewall
21. ocedure sendBit2(dim b as boolean) if
(b) then gpio.2 = 1 delay_us(1125) gpio.2 = 0
delay_us(375) else = 1
delay_us(375) gpio.2 = 0 delay_us(1125) end
if end sub sub procedure sendPair(dim b as
boolean) t(false) sendBit(b) end
sub sub procedure sendPair2(dim b as boolean)
sendBit2(false) sendBit2(b) end sub sub
procedure switchcode2(dim b as boolean) '//
house code 1 = B sendPair2(true)
sendPair2(false) sendPair2(false)
sendPair2(false) '// unit code 2
sendPair2(true) sendPair2(false)
sendPair2(false) sendPair2(false) '// on = 14
sendPair2(false) sendPair2(true)
sendPair2(true) sendPair2(b) sendBit2(false)
end sub sub procedure switchcode(dim b as
boolean) '// house code 1 = B sendPair(true)
sendPair(false) sendPair(false)
sendPair(false) '// unit code 2
HACKING
HACKING
HACKING
HACKING
HACKING
HACKING
1. Injection
2. Cross-site scripting
3. Broken authentication/session management
4. Insecure direct object references
5. Cross site request forgery
6. Security misconfiguration
7. Insecure cryptographic storage
8. Failure to restrict URL access
9. Insufficient transport layer security
10. Un-validated redirects and forwards
24. PEOPLEEmployees, Contractors
Costumers & Partners
THE NETWORK IS NO LONGER THE POINT OF CONTROL
DEVICESPhones, Servers,
Laptops, Tablets
DATAUnstructured & Structured
THE NEW
25. • The network has become the battlefield
• Forcing defense of the entire network
• Low situational awareness on the network
• Who, What, When, Why ?
• Low awareness increases vulnerability
DEFENDS EVERYTHING
DEFEND
THE CORE
29. Identity and Access
Management
Device User Service App MW Database OS
Virtual
Machine
Servers Storage
End User
Level
Operator Level
Secure data across
all tiers of storage
Monitor and
configure securely
Complete Database
protection
Secure user access
to data and
transactions
Security without a
performance
penalty.
Secure container for
applications
Security built into the
infrastructure
Service Level
Identity propagation & consistent access policies
30. DON’T SECURE YOURSELF OUT OF BUSINESS
• You can’t defend everything
• Assume you are already breached
• Protect your most valuable assets
• Have a plan and execute the plan
31. US Interstate Highway System
Initial cost vs. maintenance cost
http://cdmsmith.com/en-US/Insights/Funding-Future-Mobility/Exit-6-
Aging-Interstates.aspx
Interstate-related
expenditures during the
next 50 years will likely
reach $2.5 trillion. The
interstate system is
anything but “paid for"
- http:/cdmsmith.com
32. Gratuitous slide to distract you so you
can blame your insecure code on me
Baseball + Bat = $1.10
How much is the Bat if it costs $1.00 more than the ball?
33. Answer:
• Although $1.00 + $0.10 does equal $1.10
• $1.00 – $0.10 you get $0.90,
• The problem requires that the bat costs $1 more than the ball.1
• The ball must cost $0.05, and the bat must cost $1.05 since
$1.105 + $0.05 = $1.10
33
Editor's Notes
1
Every company and customer that we meet tells us the same story. You might agree that this is where you are…you’ve invested a lot of money in your firewalls and network vulnerability scanners and you’re using pen testers…is that the case?…but each time we show the following slide, everyone has a different perspective.
The most common way that web applications are verified for security is to hire a security professional to conduct to penetration test.
Software Food Chain
http://readwrite.com/2013/02/21/tesla-and-the-fallacy-of-data-driven-decisions Telsa and the fallacy of data driven decision, I’m going to bring this up
Note that security is often begun in the network and host boxes, but application security requires work at the top box (application layer)