The document discusses various topics related to application security testing including HTTP and HTTPS protocols, man-in-the-middle attacks, authentication techniques and vulnerabilities like SQL injection, session management issues, cross-site scripting, and code quality weaknesses. It also mentions several security testing tools and frameworks for analyzing applications.
An overview of all things that can go wrong when developers attempt to implement a Chain of Trust also called "secure boot". Starting from design mistakes, we look at crypto problems, logical and debug problems and move towards Side Channel Attacks and Fault Injection.
Focused on Automotive, Pay-TV, Gaming and mobile devices.
Myself and Asanka Fernandopulle conducted corporate level workshop on Application Security. This workshop covered areas such as application security treats, secure cording practices, application penetration testing and web application exploitations. Workshop mainly consisted with practical sessions and demonstrations. You can find all the presentations here.
This presentation slides mostly contain headings and topics of disscused areas, since meet-up was a practical & live demonstration type of Application security.
Myself and Asanka Fernandopulle conducted corporate level workshop on Application Security. This workshop covered areas such as application security treats, secure cording practices, application penetration testing and web application exploitations. Workshop mainly consisted with practical sessions and demonstrations. You can find all the presentations here.
Myself and Asanka Fernandopulle conducted corporate level workshop on Application Security. This workshop covered areas such as application security treats, secure cording practices, application penetration testing and web application exploitations. Workshop mainly consisted with practical sessions and demonstrations. You can find all the presentations here.
Myself and Asanka Fernandopulle conducted corporate level workshop on Application Security. This workshop covered areas such as application security treats, secure cording practices, application penetration testing and web application exploitations. Workshop mainly consisted with practical sessions and demonstrations. You can find all the presentations here.
Myself and Asanka Fernandopulle conducted corporate level workshop on Application Security. This workshop covered areas such as application security treats, secure cording practices, application penetration testing and web application exploitations. Workshop mainly consisted with practical sessions and demonstrations. You can find all the presentations here.
An overview of all things that can go wrong when developers attempt to implement a Chain of Trust also called "secure boot". Starting from design mistakes, we look at crypto problems, logical and debug problems and move towards Side Channel Attacks and Fault Injection.
Focused on Automotive, Pay-TV, Gaming and mobile devices.
Myself and Asanka Fernandopulle conducted corporate level workshop on Application Security. This workshop covered areas such as application security treats, secure cording practices, application penetration testing and web application exploitations. Workshop mainly consisted with practical sessions and demonstrations. You can find all the presentations here.
This presentation slides mostly contain headings and topics of disscused areas, since meet-up was a practical & live demonstration type of Application security.
Myself and Asanka Fernandopulle conducted corporate level workshop on Application Security. This workshop covered areas such as application security treats, secure cording practices, application penetration testing and web application exploitations. Workshop mainly consisted with practical sessions and demonstrations. You can find all the presentations here.
Myself and Asanka Fernandopulle conducted corporate level workshop on Application Security. This workshop covered areas such as application security treats, secure cording practices, application penetration testing and web application exploitations. Workshop mainly consisted with practical sessions and demonstrations. You can find all the presentations here.
Myself and Asanka Fernandopulle conducted corporate level workshop on Application Security. This workshop covered areas such as application security treats, secure cording practices, application penetration testing and web application exploitations. Workshop mainly consisted with practical sessions and demonstrations. You can find all the presentations here.
Myself and Asanka Fernandopulle conducted corporate level workshop on Application Security. This workshop covered areas such as application security treats, secure cording practices, application penetration testing and web application exploitations. Workshop mainly consisted with practical sessions and demonstrations. You can find all the presentations here.
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
Â
Whether you’re working exclusively on Azure or with multiple cloud environments, there are certain things you should consider when moving assets to the public cloud. As with any cloud deployment, security is a top priority, and moving your workloads to the Azure cloud doesn’t mean you’re not responsible for the security of your operating system, applications, and data.
Building on the security of the Azure infrastructure, this shared security responsibility starts with making sure your environment is secure. In this session, we will discuss step-by-step what you need to do to secure access at the administrative, application and network layers.
The presentation covers an analysis of microservices architecture and design patterns (such as API gateway, Log aggregation and more) in order to analyze how certain aspects of security is achievable at scale through these patterns.
Virtualization Forum 2015, Praha, 7.10.2015
sál B
Jestliže SlideShare nezobrazà prezentaci korektně, můžete si ji stáhnout ve formátu .ppsx nebo .pdf.
In this presentation I talked about
Secure Software Development Life Cycle
Design Issues.
Threat Modeling.
Static Code Analysis.
Pentesting.
Resources.
Securing Microservices in Containerized Environments DevOps.com
Â
Modern software development involves breaking applications up into smaller microservices deployed in containers. In this microservice world, teams focus on the higher, more abstracted tiers of the stack - the application, the container, and the orchestrator - with the cloud infrastructure provider handling everything else. That may make it seem like security should be easier for these layers; after all, there are fewer tiers in the stack to monitor. In reality, it can actually be more challenging because they rely on frequently changing, de-coupled ephemeral services communicating over unreliable networks.
Cloud security requires an understanding of the movement of data into and out of the application from the internet, the movement of information between services at runtime, and the way the services run atop the abstracted layers of infrastructure (container host, container orchestrator). This webinar will explain these challenges and suggest steps that security teams can take to overcome them.
This presentation is on the basics of cyber security and cloud computing, where it also addresses the aspects ethical hacking in detail.
The url of the live presentation: http://syscolabs.lk/blog/cyber-security-and-cloud-computing/
This presentation by Christopher Grayson covers some lessons learned as a security professional that has made his way into software engineering full time.
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
Â
Whether you’re working exclusively on Azure or with multiple cloud environments, there are certain things you should consider when moving assets to the public cloud. As with any cloud deployment, security is a top priority, and moving your workloads to the Azure cloud doesn’t mean you’re not responsible for the security of your operating system, applications, and data.
Building on the security of the Azure infrastructure, this shared security responsibility starts with making sure your environment is secure. In this session, we will discuss step-by-step what you need to do to secure access at the administrative, application and network layers.
The presentation covers an analysis of microservices architecture and design patterns (such as API gateway, Log aggregation and more) in order to analyze how certain aspects of security is achievable at scale through these patterns.
Virtualization Forum 2015, Praha, 7.10.2015
sál B
Jestliže SlideShare nezobrazà prezentaci korektně, můžete si ji stáhnout ve formátu .ppsx nebo .pdf.
In this presentation I talked about
Secure Software Development Life Cycle
Design Issues.
Threat Modeling.
Static Code Analysis.
Pentesting.
Resources.
Securing Microservices in Containerized Environments DevOps.com
Â
Modern software development involves breaking applications up into smaller microservices deployed in containers. In this microservice world, teams focus on the higher, more abstracted tiers of the stack - the application, the container, and the orchestrator - with the cloud infrastructure provider handling everything else. That may make it seem like security should be easier for these layers; after all, there are fewer tiers in the stack to monitor. In reality, it can actually be more challenging because they rely on frequently changing, de-coupled ephemeral services communicating over unreliable networks.
Cloud security requires an understanding of the movement of data into and out of the application from the internet, the movement of information between services at runtime, and the way the services run atop the abstracted layers of infrastructure (container host, container orchestrator). This webinar will explain these challenges and suggest steps that security teams can take to overcome them.
This presentation is on the basics of cyber security and cloud computing, where it also addresses the aspects ethical hacking in detail.
The url of the live presentation: http://syscolabs.lk/blog/cyber-security-and-cloud-computing/
This presentation by Christopher Grayson covers some lessons learned as a security professional that has made his way into software engineering full time.
2. Basics of Application Security
• HTTP and HTTPS
• Symmetric key
• Asymmetric key
• Session key
• Analyzing a certificate
• Sniffing HTTP and HTTPS
• Calomel plugin
1/1/2013 99X Technology(c) 2
3. Basics of Application Security
• Man in the middle
• Analyzing browser requests
• Analyzing server response
• https communication
• https and s-http
1/1/2013 99X Technology(c) 3
4. Basics of Application Security
• What OWASP does
• Builders , Breakers and Defenders
1/1/2013 99X Technology(c) 4
5. Web Application penetration testing
• Basic web testing methodology
• Vulnerability, Threat and Exploit
• Developer level application security overview - Asanka
1/1/2013 99X Technology(c) 5
6. Web Application penetration testing
• Application Security frameworks
• Before development begins
• During definition and design
• During development
• During deployment
• Maintenance and operations
1/1/2013 99X Technology(c) 6
12. Secure Authentication
• Parameter tampering
• Bypass HTML Field restrictions
• Exploit hidden fields
• Bypass client side JavaScript validation
• Coding controls for Parameter Tampering
1/1/2013 99X Technology(c) 12
13. Secure Authentication
• Access control flaws
• Using an Access control matrix
• Bypass a path based access control scheme
• Bypass data layer access control
1/1/2013 99X Technology(c) 13
14. Injections
• SQL injection classes
• In band
• Out of band
• Inferential
1/1/2013 99X Technology(c) 14
15. Injections
• Techniques to exploit sql injections
• Union operator
• Boolean
• Error based
• Out of band
• Time delay
1/1/2013 99X Technology(c) 15
16. Injections
• Standard SQL injection testing
• SELECT * FROM Users WHERE Username='$username' AND
Password='$password'
• Numeric sql injection
1/1/2013 99X Technology(c) 16
24. Session Management
• Check your cookies
• Cookie collection
• Cookie reverse engineering
• Cookie manipulation
• Hijack a session
• Hijack a session
• Spoof an authentication cookie
• Session fixation
1/1/2013 99X Technology(c) 24
25. Session Management
• How developers work on session handling
1/1/2013 99X Technology(c) 25
26. Code Quality
• Code quality breach
• Discover clues in the HTML
1/1/2013 99X Technology(c) 26
27. Cross Site Scripting
• Scripting types
• Reflected cross site scripting (non-persistent XSS)
• Stored cross site scripting (second-order XSS)
• DOM based cross site scripting (type 0 xss)
1/1/2013 99X Technology(c) 27
28. Cross Site Scripting
• Reflected cross site scripting (non-persistent XSS)
• Testing for reflected XSS
• Reflected xss
1/1/2013 99X Technology(c) 28
29. Cross Site Scripting
• Bypass XSS filters
• Tag Attribute Value
• Different syntax or enconding
• Bypassing non-recursive filtering
1/1/2013 99X Technology(c) 29