- DeltaGRiC Consulting is an SAP partner focused on helping organizations detect cybersecurity risks and compliance violations affecting their SAP and Oracle systems using ERPScan Monitoring Suite.
- Traditional approaches to SAP security like segregation of duties matrices are insufficient as advanced attacks are targeting application vulnerabilities. Widespread SAP systems expose critical business data to unauthorized access through vulnerabilities.
- Organizations struggle to effectively manage security risks from unpatched vulnerabilities in complex SAP landscapes that include new technologies like HANA and connections to IoT devices. Continuous monitoring of configurations and vulnerabilities is needed to protect SAP systems.
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...Tunde Ogunkoya
The document discusses risks related to commercial software like SAP and open source applications. It notes that application security is a shared responsibility of development teams, security teams, and businesses. It highlights trends like a growing number of vulnerabilities being found in open source code. The document recommends that organizations maintain accurate open source software inventories, identify vulnerabilities during development, and proactively monitor for new vulnerabilities.
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?michelemanzotti
This document discusses cyber attacks against SAP systems. It notes that while many organizations focus on segregation of duties controls for SAP security, the underlying business infrastructure is also vulnerable. The number of reported vulnerabilities in SAP systems has risen dramatically in recent years. The document outlines some of the external and internal threats facing SAP implementations, and reports that penetration tests conducted by the author's company routinely found major security issues in over 95% of SAP systems evaluated, leaving them exposed to espionage and sabotage attacks.
Understanding the “Why” in Enterprise Application Security StrategyPriyanka Aash
The Hershey Company initiated a strategic initiative to identify all of the truly critical IT assets that enable the company’s continued success. The evaluation confirmed the importance of protecting their business critical SAP systems. To get executive cross functional buy-in the security team implemented an SAP Vulnerability Management program with a clear strategy of “why” to influence results.
(Source: RSA USA 2016-San Francisco)
The document discusses incident response and SAP systems. It begins with an overview of Onapsis Inc. and the backgrounds of Juan Perez-Etchegoyen and Sergio Abraham. It then covers incident response concepts, including detection and classification of incidents, affected assets, legal actions, and impact analysis. The remainder provides an example case study of employee salaries being leaked and the analysis steps taken to investigate the incident.
A Risk-Based Mobile App Security Testing StrategyNowSecure
Originally presented on September 19, 2018
Given the volume and velocity of mobile apps, there simply aren’t enough resources to test them all in the same manner. There has to be a better way. NowSecure introduces a new framework to help organizations craft a Risk-Based Mobile App Security Testing strategy.
Watch the presentation here: https://www.nowsecure.com/webinars/a-risk-based-mobile-app-security-testing-strategy/
Building Cyber Resilience at the Speed of BusinessRahul Neel Mani
The document discusses the growing threats to cyber security and resilience posed by increasing attacks, vulnerabilities, and reliance on the web across many industries. It notes that traditional on-premise security solutions are insufficient to address these challenges occurring at the edge, and that cloud-based solutions which analyze traffic across a global network are needed to proactively detect and mitigate attacks in real-time before they reach customer networks. The goal is to make businesses fast, reliable and secure at the network edge through client reputation analysis, bot management, and filtering of undesirable content.
Originally presented on 12/5/2017
To close out the 2017 webinar season, our mobile security expert panel will review the top mobile threats of 2017 (e.g., Cloudbleed, Bootstomp, Broadpwn, and more) and then debate what’s next in mobile app security and mobile app security testing for 2018. See the slides from this spirited discussion of the security ramifications of the new iPhone X, iOS 11, Android 8, the latest innovations in the mobile app security testing, and more. Compare your mobile app security and mobile app security testing initiatives with what our experts say should be your top priorities in 2018.
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...Tunde Ogunkoya
The document discusses risks related to commercial software like SAP and open source applications. It notes that application security is a shared responsibility of development teams, security teams, and businesses. It highlights trends like a growing number of vulnerabilities being found in open source code. The document recommends that organizations maintain accurate open source software inventories, identify vulnerabilities during development, and proactively monitor for new vulnerabilities.
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?michelemanzotti
This document discusses cyber attacks against SAP systems. It notes that while many organizations focus on segregation of duties controls for SAP security, the underlying business infrastructure is also vulnerable. The number of reported vulnerabilities in SAP systems has risen dramatically in recent years. The document outlines some of the external and internal threats facing SAP implementations, and reports that penetration tests conducted by the author's company routinely found major security issues in over 95% of SAP systems evaluated, leaving them exposed to espionage and sabotage attacks.
Understanding the “Why” in Enterprise Application Security StrategyPriyanka Aash
The Hershey Company initiated a strategic initiative to identify all of the truly critical IT assets that enable the company’s continued success. The evaluation confirmed the importance of protecting their business critical SAP systems. To get executive cross functional buy-in the security team implemented an SAP Vulnerability Management program with a clear strategy of “why” to influence results.
(Source: RSA USA 2016-San Francisco)
The document discusses incident response and SAP systems. It begins with an overview of Onapsis Inc. and the backgrounds of Juan Perez-Etchegoyen and Sergio Abraham. It then covers incident response concepts, including detection and classification of incidents, affected assets, legal actions, and impact analysis. The remainder provides an example case study of employee salaries being leaked and the analysis steps taken to investigate the incident.
A Risk-Based Mobile App Security Testing StrategyNowSecure
Originally presented on September 19, 2018
Given the volume and velocity of mobile apps, there simply aren’t enough resources to test them all in the same manner. There has to be a better way. NowSecure introduces a new framework to help organizations craft a Risk-Based Mobile App Security Testing strategy.
Watch the presentation here: https://www.nowsecure.com/webinars/a-risk-based-mobile-app-security-testing-strategy/
Building Cyber Resilience at the Speed of BusinessRahul Neel Mani
The document discusses the growing threats to cyber security and resilience posed by increasing attacks, vulnerabilities, and reliance on the web across many industries. It notes that traditional on-premise security solutions are insufficient to address these challenges occurring at the edge, and that cloud-based solutions which analyze traffic across a global network are needed to proactively detect and mitigate attacks in real-time before they reach customer networks. The goal is to make businesses fast, reliable and secure at the network edge through client reputation analysis, bot management, and filtering of undesirable content.
Originally presented on 12/5/2017
To close out the 2017 webinar season, our mobile security expert panel will review the top mobile threats of 2017 (e.g., Cloudbleed, Bootstomp, Broadpwn, and more) and then debate what’s next in mobile app security and mobile app security testing for 2018. See the slides from this spirited discussion of the security ramifications of the new iPhone X, iOS 11, Android 8, the latest innovations in the mobile app security testing, and more. Compare your mobile app security and mobile app security testing initiatives with what our experts say should be your top priorities in 2018.
The document summarizes an integration between Damballa Failsafe and the Blue Coat Security Analytics Platform. It allows organizations to rapidly discover infected devices, analyze threats, and respond quickly. Damballa Failsafe can find hidden infections and prioritize risks, while the Security Analytics Platform provides comprehensive threat intelligence and analysis of network activity to help responders understand attacks. The integration enables information sharing so Failsafe alerts can be investigated further using full packet data from the Security Analytics solution.
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesNowSecure
Originally Presenter October 18, 2018
Enterprise-grade ephemeral messaging provider Vaporstream knows firsthand that security needs to be built into the software development lifecycle rather than bolted on. Serving highly regulated industries such as federal government, energy, financial services and healthcare, Vaporstream’s leakproof communication platform provides the highest level of assurance that compliance professionals require. Vaporstream partners with NowSecure to test and certify its Android and iOS mobile messaging apps.
This case study webinar covers how Vaporstream adheres to a rigorous secure app lifecycle in order to meet customer expectations for secure communications:
+ Designing a secure app architecture & development process
+ Incorporating security testing into the release cycle
+ Comprehensive penetration testing
The document discusses the evolution of cyber threats and detection capabilities. It argues that current security approaches are failing and that a new approach with complete visibility is needed. It promotes the RSA security analytics platform as a unified solution for advanced threat detection, investigation and response across network, endpoint, cloud and log data.
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDANowSecure
From the creators behind top mobile tools R2 and FRIDA, get the inside scoop on the R2 and FRIDA OSS projects. Led by NowSecure Research Team including David Weinstein, Ole André and Pancake (Sergi Àlvarez), this webinar speaks to our favorite mobile AST OSS projects. Peek behind the curtain on these tools, check out on their latest updates, and learn about potential future enhancements.
Originally Recorded July 19, 2019
Apple and Google’s forthcoming mobile operating systems boast a bevy of privacy features that enable users to seize more control of their personal data.
NowSecure Mobile Security Analyst Tony Ramirez will dives into Android and iOS application security and privacy enhancements and what they mean for mobile DevSecOps teams. Join us to learn about:
+ Increased transparency and granularity over location tracking
+ New protections for sensitive information
+ Safer data exchanges in Android Q through TLS 1.3 encryption
Prathan Phongthiproek, a manager at KPMG Thailand, gave a presentation on mobile application attacks at the Cyber Defense Initiative Conference (CDIC) 2016. The presentation covered various attack vectors for both Android and iOS applications, including user input attacks, abusing application components, insecure data storage, manipulating binary and storage files, bypassing root/jailbreak detection, and intercepting network traffic. For each attack vector, the presentation estimated the potential damage level and threat level. The goal was to help organizations better understand mobile application security risks and implement proper countermeasures.
Pactera - Cloud, Application, Cyber Security Trend 2016Kyle Lai
This document summarizes cybersecurity trends from surveys conducted in 2016. It finds that 38% of organizations have a maturing application security program, while 41% cited public-facing web applications as the leading cause of breaches. Regarding cloud security, 79% of respondents are implementing or using cloud environments actively, with infrastructure as a service being the most popular service. The document also introduces Pactera's cybersecurity services capabilities, which include application security testing, secure development training, and third-party risk management.
Seguridad: Realidad o Ficción: Control y Seguridad en sus Aplicaciones F5Cristian Garcia G.
La seguridad HOY se centra principalmente en proteger su Red (física) y los dispositivos conectados a ella. Dado el estado actual de los despliegues de aplicaciones y al desaparecer el perímetro bien definido del pasado, da lugar a nuevos tipos de amenazas, este tipo de arquitectura ya no es suficiente.
Las aplicaciones y el acceso a esas aplicaciones se están convirtiendo en el nuevo perímetro y su protección define el FUTURO estado de seguridad.
SPEAKER : Enrique Medina - Territory Account Manager Colombia, Peru, Venezuela and Ecuador at F5 Networks
Enrique se unió a F5 en el 2010 como responsable de la estrategia y el desarrollo de países de Colombia, Perú, Ecuador y Venezuela, tienen un MBA de la universidad externado de Colombia y es Ingeniero electrónico de la Universidad Antonio Nariño, adicionalmente a realizado diferentes especializaciones en marketing en la universidad de la sabana.
Enrique es responsable del crecimiento en el pasado en Perú el cual abrió la puerta para la contracción de un Country manager peruano.
En estos momentos enrique está basado en Bogotá Colombia y vive con sus 3 hijos y esposa.
CA World - mft1755 - gaps in your defense hacking the mainframe - philip youngPhilip Young
The document discusses gaps in mainframe security and how hackers are increasingly targeting mainframes. It notes that while mainframes are seen as inherently secure, they are actually vulnerable in several ways. The presentation will explore current mainframe hacking techniques using tools like Nmap, how flat network architectures have increased risk, and steps organizations can take to optimize mainframe security beyond just compliance, such as vulnerability scanning and penetration testing.
MDR-SOC is a cybersecurity framework services | Ampcus IncUnified11
MDR-SOC is high performance, scalable, and uses Apache Metron as its base platform with C/C++ and Python as its core components. It indexes and searches log and other data in near real-time.
Stop Account Takeover Attacks, Right in their TracksImperva
During every hour of every day, cyber criminals silently bypass traditional perimeter controls. They use millions of stolen user credentials to takeover Web application accounts, access sensitive applications, steal confidential data, and conduct fraudulent transactions. According to the latest Verizon DBIR report, over 50% of Web application attacks launched by organized crime in 2014 involved stolen credentials.
View this presentation to learn why real-time threat intelligence is the key to preventing Web account takeover attacks.
Building a Mobile App Pen Testing BlueprintNowSecure
Mobile penetration testing helps uncover app exploits and vulnerabilities and is a crucial component of risk assessment. However, many people fear the complexity and don’t know where to get started.
It all begins with a solid plan of attack. NowSecure veterans of hundreds of mobile app pen tests will walk you through the process of assembling a pen testing playbook to hack your app.
This webinar covers:
+Tips and tricks for targeting common issues
+The best tools for the job
+How to document findings to close the loop on vulnerabilities.
Telsec Corp is a consulting firm established in 2012 that specializes in providing turnkey solutions for the telecom, IT, and IT security sectors. It has experts with over $250 million of project experience across multiple countries. Telsec offers unique access to specialist expertise and tools to provide innovative and customized solutions. Its vision is to be the number one provider of IT security, cloud computing, and telecom consultancy. It has a portfolio of products like the SharpEye detection system and CryptoPhone security solution. Telsec also provides various services around IT security, telecom consultancy, and cloud computing.
The document summarizes the key findings of a report analyzing 126 popular mobile health and finance apps. It found that while consumers and executives believe their apps are secure, 90% of apps tested had at least two of the top 10 mobile security risks as defined by OWASP. Specifically, 98% lacked binary protections and 83% had insufficient transport layer protection. The document then outlines the 10 most critical mobile security risks according to OWASP, including improper platform usage, insecure data storage, insecure communication, and extraneous functionality.
La OWASP Top Ten fornisce un potente documento di sensibilizzazione per la sicurezza delle applicazioni web. La OWASP Top Ten rappresenta un ampio consenso su ciò che le falle di sicurezza delle applicazioni web più critiche sono. I membri del progetto includono una varietà di esperti di sicurezza di tutto il mondo che hanno condiviso la loro esperienza per produrre questo elenco.
The document discusses the work of the Cloud Security Alliance (CSA) in securing cloud computing. It provides an overview of CSA, including its mission to promote best practices for cloud security, global membership, research projects, and certification programs for cloud providers (CSA STAR) and users (CCSK). It also outlines key cloud security challenges addressed by CSA, such as sharing threat intelligence, developing standards, addressing skills gaps, and ensuring regulatory frameworks keep pace with innovation.
From app sec to malsec malware hooked, criminal crooked alok guptaowaspindia
The document announces the OWASP InfoSec India Conference 2012 to be held on August 24-25, 2012 at the Hotel Crowne Plaza in Gurgaon, India. It includes an abstract and agenda for a presentation by Alok Gupta on the topic of malware trends. The presentation will discuss how malware has evolved over time and become more sophisticated, the different types of malware, trends in targeted malware and industrial espionage, and strategies for detection and mitigation.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp
Security? It's simple. We have Security Team... Security of our environment, application, development it's their security. We follow Best Practices, we implementing their's suggestions (or not...).
But maybe today, in June 2018, where GDPR is a fact, we should look a little bit more in details for the security aspects. Well know and less known risks, vulnerability assessments, secure coding, secure testing,
Let's discuss: SEC/DEV/OPS/SDLC/OSSTMM/OWASP/ITIL and few other acronyms. Use freely available knowledge and specially prepared environment to check and test our security before we touch out Visual Studio, PowerShell, CLI, Visual Studio Code, or even JSON. Be #SecureByDesign
Why Zero Trust Architecture Will Become the New Normal in 2021Cloudflare
The COVID-19 pandemic brought changes no IT team was ready for: employees were sent home, customer interaction models changed, and cloud transformation efforts abruptly accelerated. Cloudflare recently commissioned Forrester Consulting to explore the impact of 2020 disruptions on security strategy and operations among companies of all sizes. To do so, they surveyed 317 global security decision makers from around the world.
Join our guest Forrester VP, Principal Analyst, Chase Cunningham, and Cloudflare Go-To-Market Leader, Brian Parks, for an in-depth discussion of the survey results, followed by practical guidance for next year’s planning.
The document provides information about the OWASP Top 10 Application Security Risks for 2013. It lists and describes the top 10 risks which are: A1-Injection, A2-Broken Authentication and Session Management, A3-Cross-Site Scripting, A4-Insecure Direct Object References, A5-Security Misconfiguration, A6-Sensitive Data Exposure, A7-Missing Function Level Access Control, A8-Cross-Site Request Forgery, A9-Using Components with Known Vulnerabilities, and A10-Unvalidated Redirects and Forwards. For each risk, it summarizes the associated security weakness and how attackers could potentially exploit it.
Many SAP systems are connected to the Internet, and exposing sensitive services beyond Web applications. Furthermore, the internal network is usually not properly segmented.
SAP Hybris solutions are all about providing a connected front office. But the customer experience can easily get damaged if the data from your business partners or end customers is not secure. With the new EU General Data Protection Regulation (GDPR) coming into effect in May 2018, the need to protect your customers’ data is essential for your business. Learn how to reduce cost by integrating security into your implementation process to be ahead of the curve for future cyberattacks.
The document summarizes an integration between Damballa Failsafe and the Blue Coat Security Analytics Platform. It allows organizations to rapidly discover infected devices, analyze threats, and respond quickly. Damballa Failsafe can find hidden infections and prioritize risks, while the Security Analytics Platform provides comprehensive threat intelligence and analysis of network activity to help responders understand attacks. The integration enables information sharing so Failsafe alerts can be investigated further using full packet data from the Security Analytics solution.
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesNowSecure
Originally Presenter October 18, 2018
Enterprise-grade ephemeral messaging provider Vaporstream knows firsthand that security needs to be built into the software development lifecycle rather than bolted on. Serving highly regulated industries such as federal government, energy, financial services and healthcare, Vaporstream’s leakproof communication platform provides the highest level of assurance that compliance professionals require. Vaporstream partners with NowSecure to test and certify its Android and iOS mobile messaging apps.
This case study webinar covers how Vaporstream adheres to a rigorous secure app lifecycle in order to meet customer expectations for secure communications:
+ Designing a secure app architecture & development process
+ Incorporating security testing into the release cycle
+ Comprehensive penetration testing
The document discusses the evolution of cyber threats and detection capabilities. It argues that current security approaches are failing and that a new approach with complete visibility is needed. It promotes the RSA security analytics platform as a unified solution for advanced threat detection, investigation and response across network, endpoint, cloud and log data.
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDANowSecure
From the creators behind top mobile tools R2 and FRIDA, get the inside scoop on the R2 and FRIDA OSS projects. Led by NowSecure Research Team including David Weinstein, Ole André and Pancake (Sergi Àlvarez), this webinar speaks to our favorite mobile AST OSS projects. Peek behind the curtain on these tools, check out on their latest updates, and learn about potential future enhancements.
Originally Recorded July 19, 2019
Apple and Google’s forthcoming mobile operating systems boast a bevy of privacy features that enable users to seize more control of their personal data.
NowSecure Mobile Security Analyst Tony Ramirez will dives into Android and iOS application security and privacy enhancements and what they mean for mobile DevSecOps teams. Join us to learn about:
+ Increased transparency and granularity over location tracking
+ New protections for sensitive information
+ Safer data exchanges in Android Q through TLS 1.3 encryption
Prathan Phongthiproek, a manager at KPMG Thailand, gave a presentation on mobile application attacks at the Cyber Defense Initiative Conference (CDIC) 2016. The presentation covered various attack vectors for both Android and iOS applications, including user input attacks, abusing application components, insecure data storage, manipulating binary and storage files, bypassing root/jailbreak detection, and intercepting network traffic. For each attack vector, the presentation estimated the potential damage level and threat level. The goal was to help organizations better understand mobile application security risks and implement proper countermeasures.
Pactera - Cloud, Application, Cyber Security Trend 2016Kyle Lai
This document summarizes cybersecurity trends from surveys conducted in 2016. It finds that 38% of organizations have a maturing application security program, while 41% cited public-facing web applications as the leading cause of breaches. Regarding cloud security, 79% of respondents are implementing or using cloud environments actively, with infrastructure as a service being the most popular service. The document also introduces Pactera's cybersecurity services capabilities, which include application security testing, secure development training, and third-party risk management.
Seguridad: Realidad o Ficción: Control y Seguridad en sus Aplicaciones F5Cristian Garcia G.
La seguridad HOY se centra principalmente en proteger su Red (física) y los dispositivos conectados a ella. Dado el estado actual de los despliegues de aplicaciones y al desaparecer el perímetro bien definido del pasado, da lugar a nuevos tipos de amenazas, este tipo de arquitectura ya no es suficiente.
Las aplicaciones y el acceso a esas aplicaciones se están convirtiendo en el nuevo perímetro y su protección define el FUTURO estado de seguridad.
SPEAKER : Enrique Medina - Territory Account Manager Colombia, Peru, Venezuela and Ecuador at F5 Networks
Enrique se unió a F5 en el 2010 como responsable de la estrategia y el desarrollo de países de Colombia, Perú, Ecuador y Venezuela, tienen un MBA de la universidad externado de Colombia y es Ingeniero electrónico de la Universidad Antonio Nariño, adicionalmente a realizado diferentes especializaciones en marketing en la universidad de la sabana.
Enrique es responsable del crecimiento en el pasado en Perú el cual abrió la puerta para la contracción de un Country manager peruano.
En estos momentos enrique está basado en Bogotá Colombia y vive con sus 3 hijos y esposa.
CA World - mft1755 - gaps in your defense hacking the mainframe - philip youngPhilip Young
The document discusses gaps in mainframe security and how hackers are increasingly targeting mainframes. It notes that while mainframes are seen as inherently secure, they are actually vulnerable in several ways. The presentation will explore current mainframe hacking techniques using tools like Nmap, how flat network architectures have increased risk, and steps organizations can take to optimize mainframe security beyond just compliance, such as vulnerability scanning and penetration testing.
MDR-SOC is a cybersecurity framework services | Ampcus IncUnified11
MDR-SOC is high performance, scalable, and uses Apache Metron as its base platform with C/C++ and Python as its core components. It indexes and searches log and other data in near real-time.
Stop Account Takeover Attacks, Right in their TracksImperva
During every hour of every day, cyber criminals silently bypass traditional perimeter controls. They use millions of stolen user credentials to takeover Web application accounts, access sensitive applications, steal confidential data, and conduct fraudulent transactions. According to the latest Verizon DBIR report, over 50% of Web application attacks launched by organized crime in 2014 involved stolen credentials.
View this presentation to learn why real-time threat intelligence is the key to preventing Web account takeover attacks.
Building a Mobile App Pen Testing BlueprintNowSecure
Mobile penetration testing helps uncover app exploits and vulnerabilities and is a crucial component of risk assessment. However, many people fear the complexity and don’t know where to get started.
It all begins with a solid plan of attack. NowSecure veterans of hundreds of mobile app pen tests will walk you through the process of assembling a pen testing playbook to hack your app.
This webinar covers:
+Tips and tricks for targeting common issues
+The best tools for the job
+How to document findings to close the loop on vulnerabilities.
Telsec Corp is a consulting firm established in 2012 that specializes in providing turnkey solutions for the telecom, IT, and IT security sectors. It has experts with over $250 million of project experience across multiple countries. Telsec offers unique access to specialist expertise and tools to provide innovative and customized solutions. Its vision is to be the number one provider of IT security, cloud computing, and telecom consultancy. It has a portfolio of products like the SharpEye detection system and CryptoPhone security solution. Telsec also provides various services around IT security, telecom consultancy, and cloud computing.
The document summarizes the key findings of a report analyzing 126 popular mobile health and finance apps. It found that while consumers and executives believe their apps are secure, 90% of apps tested had at least two of the top 10 mobile security risks as defined by OWASP. Specifically, 98% lacked binary protections and 83% had insufficient transport layer protection. The document then outlines the 10 most critical mobile security risks according to OWASP, including improper platform usage, insecure data storage, insecure communication, and extraneous functionality.
La OWASP Top Ten fornisce un potente documento di sensibilizzazione per la sicurezza delle applicazioni web. La OWASP Top Ten rappresenta un ampio consenso su ciò che le falle di sicurezza delle applicazioni web più critiche sono. I membri del progetto includono una varietà di esperti di sicurezza di tutto il mondo che hanno condiviso la loro esperienza per produrre questo elenco.
The document discusses the work of the Cloud Security Alliance (CSA) in securing cloud computing. It provides an overview of CSA, including its mission to promote best practices for cloud security, global membership, research projects, and certification programs for cloud providers (CSA STAR) and users (CCSK). It also outlines key cloud security challenges addressed by CSA, such as sharing threat intelligence, developing standards, addressing skills gaps, and ensuring regulatory frameworks keep pace with innovation.
From app sec to malsec malware hooked, criminal crooked alok guptaowaspindia
The document announces the OWASP InfoSec India Conference 2012 to be held on August 24-25, 2012 at the Hotel Crowne Plaza in Gurgaon, India. It includes an abstract and agenda for a presentation by Alok Gupta on the topic of malware trends. The presentation will discuss how malware has evolved over time and become more sophisticated, the different types of malware, trends in targeted malware and industrial espionage, and strategies for detection and mitigation.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp
Security? It's simple. We have Security Team... Security of our environment, application, development it's their security. We follow Best Practices, we implementing their's suggestions (or not...).
But maybe today, in June 2018, where GDPR is a fact, we should look a little bit more in details for the security aspects. Well know and less known risks, vulnerability assessments, secure coding, secure testing,
Let's discuss: SEC/DEV/OPS/SDLC/OSSTMM/OWASP/ITIL and few other acronyms. Use freely available knowledge and specially prepared environment to check and test our security before we touch out Visual Studio, PowerShell, CLI, Visual Studio Code, or even JSON. Be #SecureByDesign
Why Zero Trust Architecture Will Become the New Normal in 2021Cloudflare
The COVID-19 pandemic brought changes no IT team was ready for: employees were sent home, customer interaction models changed, and cloud transformation efforts abruptly accelerated. Cloudflare recently commissioned Forrester Consulting to explore the impact of 2020 disruptions on security strategy and operations among companies of all sizes. To do so, they surveyed 317 global security decision makers from around the world.
Join our guest Forrester VP, Principal Analyst, Chase Cunningham, and Cloudflare Go-To-Market Leader, Brian Parks, for an in-depth discussion of the survey results, followed by practical guidance for next year’s planning.
The document provides information about the OWASP Top 10 Application Security Risks for 2013. It lists and describes the top 10 risks which are: A1-Injection, A2-Broken Authentication and Session Management, A3-Cross-Site Scripting, A4-Insecure Direct Object References, A5-Security Misconfiguration, A6-Sensitive Data Exposure, A7-Missing Function Level Access Control, A8-Cross-Site Request Forgery, A9-Using Components with Known Vulnerabilities, and A10-Unvalidated Redirects and Forwards. For each risk, it summarizes the associated security weakness and how attackers could potentially exploit it.
Many SAP systems are connected to the Internet, and exposing sensitive services beyond Web applications. Furthermore, the internal network is usually not properly segmented.
SAP Hybris solutions are all about providing a connected front office. But the customer experience can easily get damaged if the data from your business partners or end customers is not secure. With the new EU General Data Protection Regulation (GDPR) coming into effect in May 2018, the need to protect your customers’ data is essential for your business. Learn how to reduce cost by integrating security into your implementation process to be ahead of the curve for future cyberattacks.
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™ Symmetry™
Enterprises today use the cloud for applications all across their IT landscape for tools like email, Salesforce, ServiceNow and more. Cost savings, operational stability, and reduced management effort are all proven advantages. But when we consider moving mission-critical systems at the heart of business such as SAP HANA – there is significant angst and uncertainty among IT and security professionals. Tom Evgey – Director of Cloud, Onapsis and Scott Goolik – VP of Compliance & Security, Symmetry explore various security issues organizations are facing when it comes to SAP HANA cloud deployments. During this presentation, we outline foundational elements and best practices for organizations to follow as they build a comprehensive security program when migrating SAP implementations to the cloud.
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)Onapsis Inc.
The document discusses security vulnerabilities in SAP web applications. It describes how attackers can identify SAP components and versions through server banners and error messages. Some SAP web services like the "Info Service" are publicly accessible by default and return sensitive system information without authentication. Most SAP web services require authentication but have weak authorization checks by default, allowing authenticated users to execute many functionalities without proper authorization. The document provides recommendations to disable server banners, customize error pages, and strengthen authorization checks for SAP web services.
SAP Security – Dealing with the Internal Threat of Working from HomeDudley Cartwright
Will working from home be the new normal? We look at the massive shift COVID-19 brought to our workplaces and identify five SAP security activities that organizations should consider to minimize the risk of the internal threat associated with remote working.
If you’d like to know how Soterion can assist you with managing SAP security issues discussed in this presentation please email info@soterion.com or connect with me via LinkedIn. We look forward to assisting you.
The interest in SAP security has been growing exponentially, and not only among whitehats. SAP invests money and resources in security, provides guidelines, and arranges conferences, but, unfortunately, SAP users still pay little attention to SAP security
There are most important takeaways for CISOs to provide SAP Security for Enterprises. The presentation destroys the SAP Security myths, includes statistics obtained by ERPScan Research Group, and future trends in SAP Security.
The 14 Most Common Security Risks For SaaS Applications And How To Fix Them.pdfGroovy Web
Nowadays SaaS has become trendy and utilized as a common software model in the world but the SaaS security concerns are also growing with it. The experts in the market are saying that its buzz not going to down very soon.
Asset Discovery in India – Redhunt LabsRedhuntLabs2
Leading Asset Discovery Company Redhunt Labs provides a variety of solutions to assist companies in India in securing their online assets and guarding against cyber threats. Our Agent less Platform NVADR has been successful for many of our customers in locating significant data leaks across publicly exposed Docker containers. NVADR has the capability to continually monitor your exposed Docker Assets from across the globe.
We also provide a Free Scan if you'd like to examine the Attack Surface of your company. Here to visit our page for more information.
The document discusses security issues related to SAP applications. It outlines 13 ways that SAP systems can be exploited to damage businesses. It then provides recommendations on how to assess security risks, prioritize updates, and comply with regulations to better protect SAP systems. The document also notes that ERPScan has discovered over 3,000 vulnerabilities in SAP products since 2007 and discusses the business risks of espionage, sabotage, and fraud if SAP systems are compromised.
The document discusses penetration testing of SAP systems. It begins with an introduction to SAP concepts like systems, instances, clients and remote function calls. It then discusses the need for penetration testing business applications due to lack of security during implementations. The document outlines the phases of SAP penetration testing: discovery to find SAP targets, exploration to gather information, and vulnerability assessment to identify security threats.
COVID-19 free penetration tests by Pentest-Tools.comPentest-Tools.com
We offered companies free penetration tests so they could improve their security and better cope with the emerging cyberattacks.
The report covers top security issues we found and experts' recommendations to avoid attacks that disrupt businesses.
The document discusses an application security platform that provides end-to-end security across web, mobile, and legacy applications. It utilizes multiple techniques like static analysis, dynamic analysis, software composition analysis, and web perimeter monitoring to identify vulnerabilities. The platform was designed for scale as a cloud-based service to securely manage global application infrastructures. It implements structured governance programs backed by security experts to help enterprises reduce risks across their software supply chains.
SAP Forensics Detecting White Collar Cyber-crimeOnapsis Inc.
The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customers data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there – and attackers know it.
Now, the big question arises: Has your SAP system ever been hacked? Is it compromised today? If your answer is “no”, are you sure? Do you know what to look for? Unfortunately, most organizations do not have this knowledge today, which only empowers the bad guys.
For several years at Onapsis we have been researching on how cyber-criminals might be able to break into ERP systems, in order to help organizations better protect themselves. This has enabled us to gain a unique expertise on which are the most critical attack vectors and what kind of traces they leave (and don’t) over the victim SAP platforms.
This presentation will cover how to do a forensic analysis of an SAP system, looking for traces of a security breach. Learn where fingerprints may have been left, understand which are the available system tools that may help you and which are their limitations. Watch several live demos of security breaches and find out how you may be able to detect that they took place, helping you assess the business impact and track down the attacker.
#askSAP GRC Innovations Community Call: Cybersecurity Risk and GovernanceSAP Analytics
How is your organization tackling ever increasing cybersecurity threats? Do you have the proper structure and methods in place to effectively mitigate this constantly evolving risk?
Get a sneak preview on how SAP is helping companies embrace the age of digital transformation while rethinking their security strategy, especially as it relates to protecting business applications and improving overarching risk and governance programs.
sPlatform Security: "Are you really that attached to your ABAP security flaws, or can they go?"
-------------------------------------------------------------------------------------
Attacks on companies have increased exponentially in recent years. Not uncommonly, these were made possible by software vulnerabilities. SAP systems are particularly critical for many core business processes and should receive corresponding protections.
However, you'll only achieve a basic level of security that can weather stress tests and remain consistent if you take a truly head-to-toe approach to security. And that includes your ABAP code. In our experience to date, many companies balk at audits of their custom developments or 3rd-party add-ons, or are unsatisfied with the nearly unmanageable number of findings. How can this mass of supposedly critical security flaws be evaluated reliably? Where do you even start to clean up?
The newest module in our SAST SUITE, the Code Security Advisor, offers a solution. It is directly integrated into your SAP system and has a risk assessment enriched by key figures such as usage statistics for prioritization, an option to easily decommission obsolete code and a comprehensive set of rules with test cases developed by our SAP security and compliance consultants based on their years of experience.
-------------------------------------------------------------------------------------
Für Informationen auf Deutsch, sprechen Sie uns gerne an: sast@akquinet.de
This document provides an overview of governance of security operations centers. It discusses the impact of disruptive technologies on organizations and the need for security operations centers to manage security risks. It covers designing an effective SOC including defining threats, processes, technology and acquiring a SOC. Operating a SOC includes defining expectations, baselining normal activity, using threat intelligence and handling incidents. Qualities of analysts and measuring SOC success are also discussed. Sustainable SOC governance principles like investing in people and emphasizing teamwork are presented.
Mobile devices can boost productivity and competitive advantage, but your enterprise-IT organization must support new mobile strategies, while complying with government regulations and maintaining security. See how you can implement robust security features in your existing apps with SAP Mobile App Protection by Mocana.
This document discusses the importance of securing SAP landscapes from cyber threats. It notes that SAP systems store high value data, but traditional SAP security focuses only on authorization and access controls. It introduces KPMG's SAP Landscape Cyber Security Assessment, which takes a holistic view of the entire SAP infrastructure and connected systems to identify vulnerabilities. The assessment uses KPMG's SAP Cyber Security Framework to evaluate governance, code security, operations, setup, and infrastructure across the SAP landscape.
Similar to DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation_August18.2016 (20)
1. …Your SAP/Oracle Landscape Security Assurance
“There is widespread agreement that advanced attacks are bypassing our traditional signature-based security controls and persisting
undetected on our systems for extended periods of time. The threat is real.
You are compromised; you just don’t know it.” – Gartner, Inc., 2012
Critical Application Risks (Cyber, Legal, Operational)
in
Commercial Software Vs Open Source’
4. SAP / Hadoop / Oracle/ Microsoft/ Odoo / *&^$#
The wide-spread myth that Business critical Application Security especially ERP is limited to SOD matrix
has been dispelled.
Application languages come in various flavours - ABAP, C#, C++, JAVA, which exists in almost every
company – A lot of the times, they can store program vulnerabilities left by unqualified developers or
special backdoors which can help insiders to gain illicit access to business data.
=
Of all the recorded cyber breaches that occurred in 2015, 50% was attributed to the Application layer. A
variety of hack tools has been released that prove the possibility of SAP attacks and simplify them for
cybercriminals.
Most of these vulnerabilities allow an unauthorized user to gain access to all the critical business data,
so it is necessary to think about implementing a specific system of SAP security. Unfortunately, many
information security officers are scarcely informed about the security of business applications like SAP &
Oracle.
Commercial Vs Open Source
6. A deep Dive into why SAP?
Why SAP?
SAP holds the corporate 'Crown Jewels':
* 290,000 corporate customers, including; 87% of the global 2000; 98% of the most
valued brands
* SAP touches
74% of all global transactions
US$16 Trillion of retail sales
.......and this data and information is of interest and real value to:
Criminal hackers and activists; Competitors, partners and nation states
Unhappy employees and contractors
7. Protecting your Enterprise (SAP & Open Source Business Critical Applications)
from Cyber-Attacks
Three Areas of SAP Security :
1. Business Logic Area : SOD , Access Controls, Insiders
2. Source Code Security: Developers Mistakes or even Sabotage
plans, Insiders
3. Application Platform Security: External, Over Network;
Hackers, Web Services, Mobility, Portal for Partners, etc.
Open Source Security:
1. Open Source Debacle ; Gartner identifies 95% of mission
critical Applications contain open source BUT how do we
identify and inventory the open source software present in
the applications?
8. Why SAP?
SAP holds the corporate 'Crown Jewels':
* 282,000 corporate customers, including
87% of the global 2000
98% of the most valued brands
* SAP touches
74% of all global transactions
US$16 Trillion of retail sales
.......and this data and information is of interest and real value to:
Criminal hackers and activists
Competitors, partners and nation states
Unhappy employees and contractors
12. Possible Exposed SAP Servers
in Africa
South Africa, Kenya, Nigeria
ShodanHQ Search: SAP
Google Search: SAP inurl:cmd=login
Google Search: peoplesoft inurl:cmd=login
Our Findings:
• Close to 200 SAProuters were found on
Shodan and 72% of them vulnerable to
remote code execution
• Most popular release (35%) is still
NetWeaver 7.0, and it was released in
2005.
• One third of Internet-facing SAP web
services does not use SSL at all.
• Major Bank in Africa, Major Airline in
Africa Vulnerable, Government portal
and Automotive company
May, 2015
13. Continuous Public Publishing
of Vulnerabilities
Global Security Researchers
BUT
No Pentest Information Available
CVE?
CVSS ??
Risk Prioritization
• CVE’s common identifiers enable
data exchange between security
products and provide a baseline
index point for evaluating coverage
of tools and services
• CVSS, is a vulnerability scoring
system designed to provide an open
and standardized method for rating
IT vulnerabilities. CVSS helps
organizations prioritize and
coordinate a joint response to
security vulnerabilities by
communicating the base, temporal
and environmental properties of a
vulnerability
17. Open source has passed the tipping point
“By 2016, Open Source
Software will be included in
mission-critical applications
within 99% of Global 2000
enterprises.”
Will face problems because of
no policy.
50%
10%
30%
80%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
2010 2014 2018
Open Source as % of G2000
Codebase
Reference: Gartner, Inc.
18. How pervasive is open source?
• >98% of the applications
tested used open source
Open Source
Custom Code
Open Source Custom Code
Composition of software tested across
1400 Black Duck customers
Reference: Black Duck Software audits
On average, open source
comprised over 30% of the
code base
19. Delivered Code
…and absorbed into
final code.
Internally
Developed
Code
Outsourced
Code
Legacy
Code
Reused Code/
Containers
Supply
Chain
Code
Third Party
Commercial Code
How open source enters a codebase
Open Source
Code
Open source code introduced
in many ways…
20. Open source: easy targets
Easy access to code
Exploits readily availableVulnerabilities are public
• Used everywhere
21. Who’s responsible for security?
Commercial Code Open Source Code
• Dedicated security researchers
• Alerting and notification infrastructure
• Regular patch updates
• Dedicated support team with SLA
• “community”-based code analysis
• Monitor newsfeeds yourself
• No standard patching mechanism
• Ultimately, you are responsible
22. WHAT DO THESE VULNERABILITIES HAVE IN COMMON?
Heartbleed Shellshock GhostFreak Venom
Since:
Discovered:
2011
2014
1989
2014
1990’s
2015
2000
2015
2004
2015
Discovered by:
Component: OpenSSL
Riku, Antti,
Matti, Mehta
Bash
Chazelas
OpenSSL
Beurdouche
GNU C library
Qualys researchers
QEMU
Geffner
23. Increasing Number of OSS vulnerabilities
Reference: Black Duck Software knowledgebase, NVD, VulnDB
0
500
1000
1500
2000
2500
3000
3500
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
Open Source Vulnerabilities Reported Per Year
nvd vulndb-exclusive
24. automated tools Miss Most Open Source Vulns
All possible
security vulnerabilities
Identifiable with
Static Analysis
Identifiable with
Dynamic
Analysis
SAST and DAST
only discover
common
vulnerabilities
Undiscovered
vulnerabilities are
too complex,
nuanced
3,000+ disclosed
in 2014, <1%
found by
automated tools
25. How are companies addressing this today? Not well.
Manual tabulation
• Architectural Review Board
• At end of SDLC
• High effort and low accuracy
• No controls
Spreadsheet-based inventory
• Dependent on developer best
effort or memory
• Difficult maintenance
• Not source of truth
Tracking vulnerabilities
• No single responsible entity
• Manual effort and labor intensive
• Unmanageable (11/day)
• Match applications, components &
versions with vulnerabilities
Vulnerability detection
• Run monthly/quarterly
vulnerability assessment tools
(e.g., Nessus, Nexpose) against
all applications to identify
exploitable instances
27. A solution to solving this problem would include these
components
Choose Open
Source
Inventory
Open Source
Map Existing
Vulnerabilities
Track New
Vulnerabilitie
s
Maintain accurate list of
open source components
throughout the SDL
Identify vulns during
development
Alert new vulns in
production apps
Proactively choose
secure, supported
open source
TRUST VERIFY MONITOR
28. In Conclusion
With IoT, the attack surface automatically doubles every 17
months.
Protecting SAP from cyberthreats begins with a shift in beliefs
about accessibility, vulnerability and responsibility. A cybersecurity
program is only effective when it begins with the appreciation that
everything is now connected and therefore accessible. SAP
systems and applications, whether in development or production,
are as much at stake as any other system.
Extending the same (or better) assessments, auditing procedures
and tests that you would for any other enterprise platform or
application is no different when you consider your valuable
investments in and reliance on ERP systems such as SAP.
Know what lies in your code – Open Source
Real Attack Surface = Number of critical Web Applications X
Average number of Vulnerability per web Application
We cannot deny that the application Security challenges are not limited to one side of the divide, infact, the challenges are that : There is a growing attack surface on a daily basis, and organizations are beginning to look for answers to the salient questions they never used to in the past : Questions like: what apps are people running in the organization, How do I set internal policy requirements for application security, is my private or sensitive data exposed over apps, and lastly who is developing those apps?
Also with newer deployment models like containers, we need to ask ourselves : how do we test our applications and what do we actually test?
Disclaimer: There is no intention to badmouth any OEM in this discussion but to point out places of research and our skill area . This is not necessarily a SAP problem but an Applications problem. The Risks could manifest itself from many places : Espionage from other countreis e.g. Spy leaks, Sabbotage e.g DDOS, Modification of Financial Data, Access to networks SCADA in Manufacturinbg environmens and ofcourse: white collar organised fraud.
Standard bank Hack in May 2016 and NSA Hacked on 15.08.2016
Big Idea: Open source usage is accelerating rapidly with Gartner predicting by 2018 that 80% of the global 2000 codebase will be open source code. Why? OSS results in more time and cost efficiency in application development, with higher quality code, tested by a broad community. Chances are, open source is already in your mission-critical applications. Gartner points out that not having a policy around open source is one of the problems organizations have.
Questions: Does your organization have visibility into where open source code exists in your codebase?
Big Idea: Black Duck’s audit business provides us with some insight – since we audit much of the worlds software during the M&A process. What we’ve seen corroborates Gartner’s view – in that 98% of our Audit customers applications have open source code in use and on average 30% of an application’s code base is open source.
Question: If your organization is like many we work with, and 30% of your code base is open source, would that change how you scan for vulnerabilities?
Big idea: if you’re like most of us, you think about open source entering your codebase when a developer, under a tight deadline perhaps, grabs a pre-built component from the internet, perhaps from Github or a similar website. But open source can get into your applications in a number of ways – and keeping track of all of them can become pretty difficult…
Question: This slide calls out re-used code and containers as one way OSS makes it’s way into your applicaitons – does your organization have a policy position on the use of container technology, such as Docker?
-------------------------
Reference:
Internally developed code – stuff your own developers write
Supply chain code – code that comes from upstream vendors that deliver parts or the whole of a solution
Reuse code/containers – code in other applications that you reuse. Often called “innersourcing”.
Third party commercial code – code you license from 3rd party, think Adobe Flash, etc. They might contain open source.
Legacy code – really old code (10-15 years) that might contain open source, often unsupported, unpatched, vulnerable
Outsourced code – code you pay others to write just for you
Big Idea: Open source is not more or less secure than commercial code, but these characteristics simply make it a VERY attractive target for attackers - 1. It’s ubiquitous, so the change of a bad actor finding an addressable target is much higher than with commercial code 2. The source code is available on the public internet – allowing hackers to pick it apart looking for exploitable holes. 3. Using the NVD and OSVBD (among other sources) attackers can find specifics on vulnerabilities to attack and details on how to exploit them, often exploits themselves are published. 4. If they still need help, youtube videos explaining the exploits and how to deploy them are readily available.
Question: The latest high profile vulnerability, GlibC, was made public in February – have you been able to track down where it exists in your environment? How did you / would you accomplish that?
Big Idea: With commercial 3rd party components there is a support infrastructure build to ensure security patches are applied in a timely manner. The simply does not exist with open source libraries and components – you are mostly on your owner there.
Question: What’s your companies process / policy for implementing security patches, in general AND is there a similar policy for open source?
Big Idea: We’ve seen a trend recently in “named vulnerabilities”, and Heartbleed, Shellshock, Freak and the others are likely familiar to you.
Question: What do these all have in common?
Answers we are looking for:
Each is a vulnerability in a widely used open source component
Each existed for years without being detected by automated analysis tools and penetration testing methods.
Each was ultimately identified and disclosed by security researchers conducting manual code reviews.
Big Idea #2: If automated security analysis tools and penetration testing tools were effective at finding vulnerabilities in open source, these vulnerabilities would have been found long ago.
Big Idea: Both good and bad researchers are combing open source looking for vulnerabilities and In 2015 over 3,000 new vulnerabilities were disclosed in the National Vulnerability Database and VulnDB, a proprietary database licensed by Black Duck. As more vulnerabilities are disclosed, code once was believed to be secure, may now be vulnerable
Question: if you can’t reliably track the open source used in your software, how do respond to these new vulnerabilities in your code base? Static analysis tools build in “rules” for the most well known vulns – how would you find the rest?
Big Idea: No one technique can find every vulnerability – this is why many security teams deploy both Static and Dynamic analysis tools. In many cases we’ve seen team deploy more than just one dynamic analysis tool.
Question: Importantly, these tools have been used to scan open source code for years – and they did not find the vulnerabilities we’ve been hearing about recently like Heartbleed, GLibC and Drown – why do you think that is?
(Answer you’re looking for here is they require the eyes of specialized human researchers who can look at code, see something that looks “off” and run experiments to determine there is a vuln)
Big Idea: Companies that are addressing open source vulnerabilities typically have a heavy, costly manual process to address it. And at the end of the day, it’s still error-prone and leaves a lot of risk on the table. Companies that choose not to address it at all expose themselves to even greater risk.
Question: What’s your current approach? Is it process-heavy or light? What kind of residual risk do you think you are exposed to?
Big Idea: Most manual processes and most open source management solutions can create a list of open source components and match them with known security vulnerabilities, but to solve the problem holistically, you might want to think about what happens BEFORE, meaning how you would proactively choose the right open source components, as well as what happens AFTER deployment, where you need to monitor whether deployed applications are impacted by new vulns as they are discovered.
Question: Which pieces of a potential solution do you have already and which are you missing?
----------------------------------------------------------------------------------------------------------------
A best-practices solution would combine elements of TRUST, VERIFICATION, and MONITORING:
1 – Starting with TRUST, this is providing developers and architects a way to choose open source components that are free of known vulnerabilities, and have active community support. This is a proactive step that reduces risk downstream in the software development process, and is the most cost-effective means of risk reduction.
2 – VERIFICATION means two things, having an accurate inventory of open source and being able to map than against all known vulnerabilities, in any and all applications, at any point in the SDL
3 – MONITOR means being able to monitor the released code for newly discovered vulnerabilities and alert the right people for remediation.
Many organizations end security testing when applications are released. After all, the code base isn’t changing, nor are the security rules in the tools, so why test simply to see the same results again? However, this ignores the fact that while the code base isn’t changing, the threat environment changes constantly. With over 4,000 new vulnerabilities each year, a comprehensive solution should be continuously monitoring this constant stream of new vulnerabilities, and automatically notify you of any new vulnerabilities in the open source you used in deployed applications, including:
Which applications use the code
How critical the vulnerability is, and
How to remediate it