This document summarizes a presentation on SQL injection prevention. It introduces the three presenters - Colin Buckton from OWASP, David Klassen who will demonstrate SQL injection, and Jose Kaharian who will discuss the BSIMM study. Buckton covers OWASP resources and describes SQL injection vulnerabilities. Klassen demonstrates SQL injection in a code sample and how to prevent it. Kaharian discusses a study of software security initiatives in businesses and how secure coding is becoming a priority in hiring. The presentation aims to raise awareness of SQL injection risks and prevention best practices.
Security Champions - Introduce them in your OrganisationIves Laaf
How to get security software development established, training of teams. A methodology based on the concept of security champions and owasp tools and guides.
How to build app sec team & culture in your organization the hack summi...kunwaratul hax0r
This talk is completely dedicated to how to build application security culture and team in your organization. I have presented this talk at The Hack Summit Poland.
Nsc42-CSA AGM is the cloud secure - is easy if you do it smartNSC42 Ltd
The talk will take the audience on a journey on the cloud evolution, the recent hacks and the need to make security everyone's responsibility.
The talk will explore major challenges in cloud transformation from an organization and security perspective with top 8 solutions to address them.
The solution will explore:
the shared responsibility model
Foundation architecture
Cloud pattern available
Design security and security by design
Gamification and the use of EoP in everything security
Shift left and bringing security at the beginning of the development
Security testing and automation
DEV-SEC ops and the integration of Security and Business/Architecture
If time is available the talk will explore the top 5 key cloud patterns (Account isolation, Firewall and access control, Logging and cascade pattern, Identity and access management, Key/secret management)
Audience Take Away:
When starting a cloud security journey or by being already into one what shall you do and consider.
Key security element to consider from day 1 to delivery
automation and why is so vital to automate security vulnerability
Tragic story of uneccessary death from cardiac arrest. Most people are unaware of how real and frequently deaths occur in otherwise healthy peple who are too young to die. Everyone should learn CPR.
This document discusses buffer overflow exploits and remote network exploits. It provides examples of assembler code that creates a listener on port 30464 to demonstrate how an exploit works. It also discusses ways to prevent unwanted security breaches like staying aware of exploits, proofing code for vulnerabilities, and recompiling executables on each machine. Questions are posed at the end for further discussion.
1. The Remote Frame Buffer (RFB) protocol allows remote access to graphical user interfaces by treating the frame buffer as a series of rectangles of pixel data.
2. The RFB protocol uses a client-server model where the client requests updates from the server in response to changes at the frame buffer. This makes the protocol adaptive to network speeds.
3. The protocol supports input from keyboards and pointing devices by having clients send input events to the server, and defines several encodings for efficiently transmitting rectangle updates of pixel data.
This document discusses various security topics including application security, injection vulnerabilities, infrastructure security, and developing a security strategy and plan. It covers the Open Web Application Security Project (OWASP) top 10 risks, examples of SQL and OS injection vulnerabilities, mitigation techniques like input validation and web application firewalls, and approaches to infrastructure security like preventing DDoS attacks and unauthorized access. The importance of continuous improvement, monitoring, and prioritizing security is emphasized.
Security Champions - Introduce them in your OrganisationIves Laaf
How to get security software development established, training of teams. A methodology based on the concept of security champions and owasp tools and guides.
How to build app sec team & culture in your organization the hack summi...kunwaratul hax0r
This talk is completely dedicated to how to build application security culture and team in your organization. I have presented this talk at The Hack Summit Poland.
Nsc42-CSA AGM is the cloud secure - is easy if you do it smartNSC42 Ltd
The talk will take the audience on a journey on the cloud evolution, the recent hacks and the need to make security everyone's responsibility.
The talk will explore major challenges in cloud transformation from an organization and security perspective with top 8 solutions to address them.
The solution will explore:
the shared responsibility model
Foundation architecture
Cloud pattern available
Design security and security by design
Gamification and the use of EoP in everything security
Shift left and bringing security at the beginning of the development
Security testing and automation
DEV-SEC ops and the integration of Security and Business/Architecture
If time is available the talk will explore the top 5 key cloud patterns (Account isolation, Firewall and access control, Logging and cascade pattern, Identity and access management, Key/secret management)
Audience Take Away:
When starting a cloud security journey or by being already into one what shall you do and consider.
Key security element to consider from day 1 to delivery
automation and why is so vital to automate security vulnerability
Tragic story of uneccessary death from cardiac arrest. Most people are unaware of how real and frequently deaths occur in otherwise healthy peple who are too young to die. Everyone should learn CPR.
This document discusses buffer overflow exploits and remote network exploits. It provides examples of assembler code that creates a listener on port 30464 to demonstrate how an exploit works. It also discusses ways to prevent unwanted security breaches like staying aware of exploits, proofing code for vulnerabilities, and recompiling executables on each machine. Questions are posed at the end for further discussion.
1. The Remote Frame Buffer (RFB) protocol allows remote access to graphical user interfaces by treating the frame buffer as a series of rectangles of pixel data.
2. The RFB protocol uses a client-server model where the client requests updates from the server in response to changes at the frame buffer. This makes the protocol adaptive to network speeds.
3. The protocol supports input from keyboards and pointing devices by having clients send input events to the server, and defines several encodings for efficiently transmitting rectangle updates of pixel data.
This document discusses various security topics including application security, injection vulnerabilities, infrastructure security, and developing a security strategy and plan. It covers the Open Web Application Security Project (OWASP) top 10 risks, examples of SQL and OS injection vulnerabilities, mitigation techniques like input validation and web application firewalls, and approaches to infrastructure security like preventing DDoS attacks and unauthorized access. The importance of continuous improvement, monitoring, and prioritizing security is emphasized.
This document summarizes best practices for building an application security program at a startup. It recommends getting organizational buy-in, building a security team by networking and attending events, and shifting security left by training developers. It also discusses implementing threat modeling, carefully vetting security vendors, embedding security engineers with developer teams, and continuing to improve processes over time. The overall message is that security is a collaborative effort involving the whole company.
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...lior mazor
Stay safe, grab a drink and join us virtually for our upcoming "Reveal the Security Risks in the Software Development Lifecycle" Meetup to learn how to find application security threats, issues in software development life cycle, build mature application security incident response processes and implement application security posture management.
Agenda:
17:00 - 17:05 - 'Opening words' - by Gary Berman (Cyber Heroes Network)
17:05 - 17:35 - 'Why securing the SDLC fails at scale' - by Liav Caspi (Co-Founder & CTO at Legit Security)
17:35 - 18:05 - 'The Real AppSec Issues' - by Josh Grossman (CTO at BounceSecurity)
18:05 - 18:35 - 'Application security and IR process' - by Vitaly Davidoff (Application Security Lead at JFrog)
18:35 - 19:00 - 'The ASPM way - a new approach' - by Liav Caspi (Co-Founder & CTO at Legit Security)
You will learn what is Security Development Lifecycle (SDL).
You will understand why SDL is important.
You will dive in details of SDL and you will see tips for each SDL phase.
You will realize how to roll out an SDL in your organization.
Finally, you will have all skills to deliver a secure product.
The interim presentation summarized an automated security tool being created with GUI and CLI formats. It covered 8 security modules: SQL injection detection, network analysis, malware detection, keyloggers, data loss prevention, phishing detection, SSL certificate analysis, and data protection. The project is currently in development with 2 phases completed involving SQL injection and network analysis modules. Methodologies used include Python, Flask, and machine learning. The goal is to help industries secure data and avoid losses through an efficient automated cybersecurity tool.
This document discusses application security and Trustwave's 360 Application Security solution. It begins by noting common vulnerabilities in web and mobile applications and how cybercriminals exploit weaknesses. It then outlines Trustwave's solution, which takes a lifecycle approach to application security from design through production. This includes services like secure development training, code reviews, penetration testing, and a web application firewall. The document argues that application security is important because vulnerabilities are common, exploits are expensive to fix, and a holistic solution is needed to effectively address risks across the development process.
24may 1200 valday eric anklesaria 'secure sdlc – core banking'Positive Hack Days
Secure SDLC aims to integrate security practices into the entire software development lifecycle for core banking applications. It addresses shortcomings like lack of security requirements documentation, threat modeling, secure design practices, developer security training, and security testing. Implementing a Secure SDLC helps ensure core banking applications are developed securely through practices like threat modeling, secure coding guidelines, security testing, and ongoing security reviews of applications and infrastructure. This helps protect critical banking data and systems from threats while maintaining regulatory compliance.
Secure SDLC processes help address security issues in core banking applications. Statistics show that over half of developers and security personnel lack application security training, and there is little collaboration between development and security teams on security. Core banking systems store critical customer information, so security compromises could impact regulatory compliance. Traditional SDLC processes do not explicitly include security activities, while secure SDLC integrates security throughout requirements, design, development, testing and deployment phases. This helps mitigate risks through practices like threat modeling, secure coding standards, security testing and ongoing security reviews of deployed applications.
Daniel Kefer from 1&1 Internet AG presented on 1&1's secure software development lifecycle (SDLC). He began by introducing himself and 1&1. He then discussed the motivation for a secure SDLC, noting the higher costs of fixing bugs later in development. Kefer outlined the common approaches to application security as intuitive, reactive, or proactive. 1&1 aims to take the proactive approach through their SDLC methodology. He described their methodology, including classifying systems based on risk level and assigning different security requirements at each level across both the development lifecycle and technical categories. Kefer finished by discussing 1&1's plans to expand usage and continuous improvement of their SDLC methodology.
This document provides an overview and agenda for a 4-day security training on .NET applications. Each day will discuss 2-3 security attacks and how to prevent them, include hands-on exercises and homework. The goal is for participants to understand security in .NET apps, learn about various attacks and defenses, and gain confidence in debugging and fixing issues. Participation and asking questions are encouraged. The trainer will provide security expertise and help find answers if unknown. Connecting on LinkedIn after is suggested to stay informed.
Secure coding is the practice of developing software securely by avoiding security vulnerabilities. It involves understanding the application's attack surface and using techniques like input validation, secure authentication, access control, and encrypting sensitive data. The OWASP organization provides free tools and guidelines to help developers code securely, such as their Top 10 security risks and cheat sheets on issues like injection, authentication, and access control. Developers should use static and dynamic application security testing tools to identify vulnerabilities and continuously learn about secure coding best practices.
The document discusses the history and evolution of DevOps practices over time, from concepts like daily builds in the 1990s to more recent approaches like infrastructure as code and serverless architectures. It provides an overview of key figures and texts that helped establish ideas like continuous integration, continuous delivery, and site reliability engineering. The document also shares the author's perspective on what commercial security tools have been developed for DevOps workflows and mentions some open source collaboration and automation tools.
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...QA or the Highway
This document discusses bringing a hacker mindset to requirements and testing for application security. It begins by highlighting statistics showing the poor state of application security and vulnerabilities. The document then contrasts producer and consumer views of quality, and explains why security requirements are difficult by nature. It provides examples of threat modeling and negative testing techniques that can help requirements analysts and testers think like hackers to identify vulnerabilities. The presentation calls for adopting these adversarial techniques to improve application security.
Application Security - Your Success Depends on itWSO2
Traditional information security mainly revolves around network and operating system (OS) level protection. Regardless of the level of security guarding those aspects, the system can be penetrated and the entire deployment can be brought down if your application's security isn't taken into serious consideration. Information security should ideally start at the application level, before network and OS level security is ensured. To achieve this, security needs to be integrated into the application at the software development phase.
In this session, Dulanja will discuss the following:
The importance of application security - why network and OS security is insufficient.
Challenges in securing your application.
Making security part of the development lifecycle.
Mike Spaulding - Building an Application Security Programcentralohioissa
Application Security in many organizations is a simply a 'wish list' item, but with some staff and some training, AppSec can be a reality, even for a small organization. This talk will discuss the best practices, strategies and tactics, and resource planning to build an internal AppSec function - enterprise to 'mom & pop' operations will all benefit from this talk.
This document provides guidance on building an application security program. It discusses common application security threats and vulnerabilities. The goal of application security is to reduce application risks. Methods include static code analysis, dynamic testing, and manual verification at different stages of the software development lifecycle. The document recommends starting simple, setting policies and standards, scaling application security as development scales, and verifying third party applications. It emphasizes the importance of continuous improvement, metrics, and alignment with development processes.
Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
This document summarizes best practices for building an application security program at a startup. It recommends getting organizational buy-in, building a security team by networking and attending events, and shifting security left by training developers. It also discusses implementing threat modeling, carefully vetting security vendors, embedding security engineers with developer teams, and continuing to improve processes over time. The overall message is that security is a collaborative effort involving the whole company.
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...lior mazor
Stay safe, grab a drink and join us virtually for our upcoming "Reveal the Security Risks in the Software Development Lifecycle" Meetup to learn how to find application security threats, issues in software development life cycle, build mature application security incident response processes and implement application security posture management.
Agenda:
17:00 - 17:05 - 'Opening words' - by Gary Berman (Cyber Heroes Network)
17:05 - 17:35 - 'Why securing the SDLC fails at scale' - by Liav Caspi (Co-Founder & CTO at Legit Security)
17:35 - 18:05 - 'The Real AppSec Issues' - by Josh Grossman (CTO at BounceSecurity)
18:05 - 18:35 - 'Application security and IR process' - by Vitaly Davidoff (Application Security Lead at JFrog)
18:35 - 19:00 - 'The ASPM way - a new approach' - by Liav Caspi (Co-Founder & CTO at Legit Security)
You will learn what is Security Development Lifecycle (SDL).
You will understand why SDL is important.
You will dive in details of SDL and you will see tips for each SDL phase.
You will realize how to roll out an SDL in your organization.
Finally, you will have all skills to deliver a secure product.
The interim presentation summarized an automated security tool being created with GUI and CLI formats. It covered 8 security modules: SQL injection detection, network analysis, malware detection, keyloggers, data loss prevention, phishing detection, SSL certificate analysis, and data protection. The project is currently in development with 2 phases completed involving SQL injection and network analysis modules. Methodologies used include Python, Flask, and machine learning. The goal is to help industries secure data and avoid losses through an efficient automated cybersecurity tool.
This document discusses application security and Trustwave's 360 Application Security solution. It begins by noting common vulnerabilities in web and mobile applications and how cybercriminals exploit weaknesses. It then outlines Trustwave's solution, which takes a lifecycle approach to application security from design through production. This includes services like secure development training, code reviews, penetration testing, and a web application firewall. The document argues that application security is important because vulnerabilities are common, exploits are expensive to fix, and a holistic solution is needed to effectively address risks across the development process.
24may 1200 valday eric anklesaria 'secure sdlc – core banking'Positive Hack Days
Secure SDLC aims to integrate security practices into the entire software development lifecycle for core banking applications. It addresses shortcomings like lack of security requirements documentation, threat modeling, secure design practices, developer security training, and security testing. Implementing a Secure SDLC helps ensure core banking applications are developed securely through practices like threat modeling, secure coding guidelines, security testing, and ongoing security reviews of applications and infrastructure. This helps protect critical banking data and systems from threats while maintaining regulatory compliance.
Secure SDLC processes help address security issues in core banking applications. Statistics show that over half of developers and security personnel lack application security training, and there is little collaboration between development and security teams on security. Core banking systems store critical customer information, so security compromises could impact regulatory compliance. Traditional SDLC processes do not explicitly include security activities, while secure SDLC integrates security throughout requirements, design, development, testing and deployment phases. This helps mitigate risks through practices like threat modeling, secure coding standards, security testing and ongoing security reviews of deployed applications.
Daniel Kefer from 1&1 Internet AG presented on 1&1's secure software development lifecycle (SDLC). He began by introducing himself and 1&1. He then discussed the motivation for a secure SDLC, noting the higher costs of fixing bugs later in development. Kefer outlined the common approaches to application security as intuitive, reactive, or proactive. 1&1 aims to take the proactive approach through their SDLC methodology. He described their methodology, including classifying systems based on risk level and assigning different security requirements at each level across both the development lifecycle and technical categories. Kefer finished by discussing 1&1's plans to expand usage and continuous improvement of their SDLC methodology.
This document provides an overview and agenda for a 4-day security training on .NET applications. Each day will discuss 2-3 security attacks and how to prevent them, include hands-on exercises and homework. The goal is for participants to understand security in .NET apps, learn about various attacks and defenses, and gain confidence in debugging and fixing issues. Participation and asking questions are encouraged. The trainer will provide security expertise and help find answers if unknown. Connecting on LinkedIn after is suggested to stay informed.
Secure coding is the practice of developing software securely by avoiding security vulnerabilities. It involves understanding the application's attack surface and using techniques like input validation, secure authentication, access control, and encrypting sensitive data. The OWASP organization provides free tools and guidelines to help developers code securely, such as their Top 10 security risks and cheat sheets on issues like injection, authentication, and access control. Developers should use static and dynamic application security testing tools to identify vulnerabilities and continuously learn about secure coding best practices.
The document discusses the history and evolution of DevOps practices over time, from concepts like daily builds in the 1990s to more recent approaches like infrastructure as code and serverless architectures. It provides an overview of key figures and texts that helped establish ideas like continuous integration, continuous delivery, and site reliability engineering. The document also shares the author's perspective on what commercial security tools have been developed for DevOps workflows and mentions some open source collaboration and automation tools.
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...QA or the Highway
This document discusses bringing a hacker mindset to requirements and testing for application security. It begins by highlighting statistics showing the poor state of application security and vulnerabilities. The document then contrasts producer and consumer views of quality, and explains why security requirements are difficult by nature. It provides examples of threat modeling and negative testing techniques that can help requirements analysts and testers think like hackers to identify vulnerabilities. The presentation calls for adopting these adversarial techniques to improve application security.
Application Security - Your Success Depends on itWSO2
Traditional information security mainly revolves around network and operating system (OS) level protection. Regardless of the level of security guarding those aspects, the system can be penetrated and the entire deployment can be brought down if your application's security isn't taken into serious consideration. Information security should ideally start at the application level, before network and OS level security is ensured. To achieve this, security needs to be integrated into the application at the software development phase.
In this session, Dulanja will discuss the following:
The importance of application security - why network and OS security is insufficient.
Challenges in securing your application.
Making security part of the development lifecycle.
Mike Spaulding - Building an Application Security Programcentralohioissa
Application Security in many organizations is a simply a 'wish list' item, but with some staff and some training, AppSec can be a reality, even for a small organization. This talk will discuss the best practices, strategies and tactics, and resource planning to build an internal AppSec function - enterprise to 'mom & pop' operations will all benefit from this talk.
This document provides guidance on building an application security program. It discusses common application security threats and vulnerabilities. The goal of application security is to reduce application risks. Methods include static code analysis, dynamic testing, and manual verification at different stages of the software development lifecycle. The document recommends starting simple, setting policies and standards, scaling application security as development scales, and verifying third party applications. It emphasizes the importance of continuous improvement, metrics, and alignment with development processes.
Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
1. ABC's of Software Security
SQL Injection Prevention
Presented by:
Colin Buckton
Jose Kaharian
David Klassen
2. Introduction
● Colin Buckton
○ OWASP - Web Security Awareness Group
○ SQL Injection Vulnerability Description
● David Klassen
○ Demonstrate SQL Injection and what is at risk
○ Show prevention of SQL Injection at the code level
● Jose Kaharian
○ Business Research Concerning Security (BSIMM)
○ Secure coding is becoming a hiring priority
3. Colin Buckton
● Easy Ways to Learn about Web App Security
○ OWASP - Web App Security Awareness Group
○ Web App Sec Tutorial Video Series on YouTube
○ Top Ten - Web Application Security Risks
○ Top Ten Item #1 - SQL Injection Vulnerability
4. Three Stages of Software Security
Awareness
1. Progress begetting vulnerability accepted as
reality
○ "To make an omelette..."
2. Onus fell on the consumer to protect
themselves
○ Firewall, anti-malware, best-practices
○ Preventative measures cost companies money
3. Producers must design securely
○ Build-in security
○ Preventative measures save money
○ Awareness is needed
5. OWASP - The Open Web Application
Security Project
● OWASP is a worldwide not-for-profit
charitable organization focused on
improving the security of software
● Purpose: Help everyone build more secure
web applications and services
● Founded December 1st, 2001
● Provides information and training materials
in an "open-source" model
6. OWASP WebAppSec Tutorial Series
● OWASP provides a series of training videos
● Goal is to make "top notch" security training
accessible to the public
● Making AppSec (Application Security) more
visible
● Licensed under Creative Commons so you
can share freely
7. OWASP Top 10 Project
● The Top 10 is a list of security risks to web
applications as assessed by the OWASP Risk
Rating Methodology.
● The names of the risks in the Top 10 stem
from the type of attack, the type of
weakness, or the degree of impact they
cause.
9. #1 Top 10 item - SQL Injection
● Injection attacks are the top rated threat
● How they work:
○ A section of code in your program is vulnerable
○ Attacker sends text that exploits the syntax
○ This creates an unintended query -> SELECT * FROM
accounts WHERE custID='' or '1'='1';
○ Interpreter returns data on ALL accounts, and may
even access special commands and take over!
10. #1 Top 10 item - SQL Injection
● How to Prevent SQLi
● OWASP makes suggestions on how to fix this
○ Use a specific Application Programming Interface
(API) that can interpret user input safely.
■ Interface objects can reinterpret user input in a
safe manner
○ "Escaping" the user input for the interpreter
■ e.g. " ' or '1'='1 "
○ Use a whitelist of acceptable characters
■ e.g. Only allow alphanumerics for input
■ Not always feasible if some searches require
those special characters
11. David Klassen
● Demonstrate exploitation of Web App
○ Discuss compromise and worst facts about it
○ Talk about the tools used in detection
○ Show prevention of SQL Injection at the code level
○ Architectural things to think about
15. What SQLi is
● Can leak data or cause server level penetration.
● It exists in the Web Application itself
● Really this exists because it was coded into the app
● The wrong types of API/SQL calls are made
● Application does not handle/encode corner cases well.
16. SQLi Demonstration
● Lab21 that has been analyzed via. ZAP
● sqlmap can be used to proof/exploit an
SQLi
● review database info enumerated via. SQLi
● Fix the code
● Point out why it is fixed
● Show proof of the fix
■ https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
● Data model/architecture issues:
○ Never use sys/admin/root accounts
○ Application/Database user separation
○ Privilege separation for Admin features
18. Jose Kaharian
● BSIMM - Business Research about Security
○ Numerous security breach issues/prevention
○ Businesses are busy cleaning up their process/code
○ A study is useful for reflection about what works
○ Secure coding is becoming a hiring priority
19. SQLi Basic Facts
● Growing History of Actual Attacks
○ Sony PlayStation network
■ http://www.theregister.co.
uk/2011/04/26/sony_playstation_network_security_breach/
○ Dating Site Hacks
■ eHarmony/PlentyOfFish
○ Heartland Payment Systems and TJX retailer (Winners/Homesense)
■ http://www.securityfocus.com/news/11557
● What is the result?
○ The finances and private lives of consumers are at stake.
○ Reduces consumer confidence in a company
20. How to reverse the trend?
● What is BSIMM?
○ Building Security In Maturity Model.
○ A study of real-world software security initiatives
○ Designed to help companies understand, measure, and plan a
software security initiative
● What makes BSIMM so special?
○ Does not tell you what you should do; instead, it tells you what
everyone else is actually doing.
○ This approach stands in sharp contrast to “faith-based” approaches
to software security.
○ Can be used as a measuring stick, in comparison to other businesses.
○ Sharing data, can help other organizations tackle real problems.
21. BSIMM4 Study of 51 Companies
● Businesses getting serious about Security:
22. Software Security Framework
● Four business areas for change
● Each with three basic security practices
● Note: Code Review and Security Testing included
23. Important Business Goals
● Convincing reasons for adopting security
● Offers a wide view of potential business benefits
● Compliance with PCI/PII/Privacy and Legal Regulations
24. Measure 111 Security Activities
● Here is a breakdown of one of the twelve practices
● Shows nine different possible activities
● Not all activities will match a businesses needs
25. Businesses Can Participate
● The BSIMM study is open to new participants
● By joining the community a business can progress
towards better consideration for security
● Businesses who participate can also gain from the
anonymous intelligence shared by other businesses
● In general businesses seeking to broaden or strengthen
their security stance will benefit from this data
27. Security is becoming important
● More and more companies are attempting to find ways
to combat fraud (Amazon, Microsoft, Apple etc.):
○ Big Data solutions to analyze transactions
○ Grappling with Social Engineering of credentials
○ Prevent attacks on users via. your website flaws
● By learning about security risks, and how to create
better code, the value of your creations will go up.
● Companies are looking for talent that is willing to
embrace a risk savvy way of creating Apps.
● Especially in financial, telecom, and traditional high
value markets
28. Class Exercise
Lab12a - Cross Site Scripting (XSS) Discovery:
http://dbavedb.comeze.com/xss.htm
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet