This webinar is focused on the comparison between traditional and next generation security solutions. And cover following -
• Traditional Antivirus vs. Next-Gen Security Products
• Busting Security Myths
• VirusTotal & Next-Gen AVs
• Comparison of Next-Gen Security Products
Why do databases have the highest rate of breaches among all business assets? The answer is simple: they house the sensitive business data that malicious insiders and hackers want most. The risk of a database breach can be mitigated by implementing internal controls and following industry best practices - but you must first understand the shifting threat landscape. This presentation will (1) present the top 10 threats to your database in 2013 (2) define a layered defense strategy for preventing database breaches using industry best practices (3) demonstrate a successful defense against data theft with a customer case study.
Ch # 10 computer security risks and safe guardsMuhammadRobeel3
IT security, hackers,IT security and risks and safe guards, password, how to create password, bio-metric authentication , virus , antivirus software ,how to safe a devices from virus.types of viruses
The complexity of implementing and maintaining IBM Guardium or a native audit solution within an enterprise environment can quickly run into trouble. Escalating costs, manularity, and gaps in coverage put your company at risk of a failed audit or data breach. This presentation will share the experiences of Imperva customers who have moved from native audit or Guardium to Imperva SecureSphere for database audit and protection (DAP).
Viewers will leave with an understanding of:
- Security and compliance factors that organizations should consider
- The methods of deployment within an enterprise environment
- The monetary and human costs associated with each DAP architecture
This webinar is focused on the comparison between traditional and next generation security solutions. And cover following -
• Traditional Antivirus vs. Next-Gen Security Products
• Busting Security Myths
• VirusTotal & Next-Gen AVs
• Comparison of Next-Gen Security Products
Why do databases have the highest rate of breaches among all business assets? The answer is simple: they house the sensitive business data that malicious insiders and hackers want most. The risk of a database breach can be mitigated by implementing internal controls and following industry best practices - but you must first understand the shifting threat landscape. This presentation will (1) present the top 10 threats to your database in 2013 (2) define a layered defense strategy for preventing database breaches using industry best practices (3) demonstrate a successful defense against data theft with a customer case study.
Ch # 10 computer security risks and safe guardsMuhammadRobeel3
IT security, hackers,IT security and risks and safe guards, password, how to create password, bio-metric authentication , virus , antivirus software ,how to safe a devices from virus.types of viruses
The complexity of implementing and maintaining IBM Guardium or a native audit solution within an enterprise environment can quickly run into trouble. Escalating costs, manularity, and gaps in coverage put your company at risk of a failed audit or data breach. This presentation will share the experiences of Imperva customers who have moved from native audit or Guardium to Imperva SecureSphere for database audit and protection (DAP).
Viewers will leave with an understanding of:
- Security and compliance factors that organizations should consider
- The methods of deployment within an enterprise environment
- The monetary and human costs associated with each DAP architecture
Ransomware attacks are not only growing and evolving but are getting more sophisticated by using advanced evasion techniques impacting individuals and organizations across verticals.
Seqrite security solutions provide multi-layered defense that prevents and blocks real-time threats and emerging ransomware infections.
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesImperva
Today’s hackers ruthlessly target Common Vulnerabilities and Exposures (CVEs) to launch multi-site attacks that take control of Web servers and allow their perpetrators to flee with valuable data assets. HeartBleed stands as the most notorious example of a known vulnerability attack, but with a CVE database running in the thousands, attackers have ample opportunity to profit from unsecure Web applications. This presentation will:
- Discuss the latest data breach stats to identify where the most dangerous attacks are coming from
- Explore the attack perpetrators and reveal how they’re being successful
- Present the anatomy of a HeartBleed attack
- Provide mitigation techniques to protect against known vulnerabilities
Comment spammers are most often motivated by search engine optimization for the purposes of advertisement, click fraud, and malware distribution. By spamming multiple targets over a long period of time, spammers are able to gain profit, and do harm. Comment spam attacks can cripple a website, impacting uptime, and compromise the user experience. Quickly identifying the source of an attack can greatly limit the attack’s effectiveness and minimize its impact on your website. This presentation will:
- Present an attack from both points of views – the attacker's and the victim’s
- Identify tools utilized by comment spam attackers
- Discuss mitigation techniques to stop comment spam in its early stages
Guest lecture on web application security, presented to students at the Indianapolis campus of The Iron Yard on November 9, 2016. This presentation was a basic overview/introduction to security, discussed the CIA Triad, why security is difficult, what happens if we don't do security right, what developers can do to enhance security, and included a brief overview of the OWASP Top Ten.
Courtney Pachucki, IT Specialist at MePush, wrote this amazing Internet hygiene presentation for users on the Web to stay safe and avoid being hacked, phished, or infected with malware. This is a basic set of guidelines to help you identify your risks on the web.
Application Security session given as part of the Solvay Executive Master in IT Management.
Explaining application security challenges for web, mobile, cloud and internet of things.
Positioning OWASP SAMM as structural and measurable framework to get application security under control in the complete application lifecycle.
Ransomware attacks are not only growing and evolving but are getting more sophisticated by using advanced evasion techniques impacting individuals and organizations across verticals.
Seqrite security solutions provide multi-layered defense that prevents and blocks real-time threats and emerging ransomware infections.
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesImperva
Today’s hackers ruthlessly target Common Vulnerabilities and Exposures (CVEs) to launch multi-site attacks that take control of Web servers and allow their perpetrators to flee with valuable data assets. HeartBleed stands as the most notorious example of a known vulnerability attack, but with a CVE database running in the thousands, attackers have ample opportunity to profit from unsecure Web applications. This presentation will:
- Discuss the latest data breach stats to identify where the most dangerous attacks are coming from
- Explore the attack perpetrators and reveal how they’re being successful
- Present the anatomy of a HeartBleed attack
- Provide mitigation techniques to protect against known vulnerabilities
Comment spammers are most often motivated by search engine optimization for the purposes of advertisement, click fraud, and malware distribution. By spamming multiple targets over a long period of time, spammers are able to gain profit, and do harm. Comment spam attacks can cripple a website, impacting uptime, and compromise the user experience. Quickly identifying the source of an attack can greatly limit the attack’s effectiveness and minimize its impact on your website. This presentation will:
- Present an attack from both points of views – the attacker's and the victim’s
- Identify tools utilized by comment spam attackers
- Discuss mitigation techniques to stop comment spam in its early stages
Guest lecture on web application security, presented to students at the Indianapolis campus of The Iron Yard on November 9, 2016. This presentation was a basic overview/introduction to security, discussed the CIA Triad, why security is difficult, what happens if we don't do security right, what developers can do to enhance security, and included a brief overview of the OWASP Top Ten.
Courtney Pachucki, IT Specialist at MePush, wrote this amazing Internet hygiene presentation for users on the Web to stay safe and avoid being hacked, phished, or infected with malware. This is a basic set of guidelines to help you identify your risks on the web.
Application Security session given as part of the Solvay Executive Master in IT Management.
Explaining application security challenges for web, mobile, cloud and internet of things.
Positioning OWASP SAMM as structural and measurable framework to get application security under control in the complete application lifecycle.
With the adoption of Cloud as a platform , it is essential that organisations setup effective monitoring and mitigation mechanism both in tools and process. This talk speaks about some of the essentials
Application Security - Your Success Depends on itWSO2
Traditional information security mainly revolves around network and operating system (OS) level protection. Regardless of the level of security guarding those aspects, the system can be penetrated and the entire deployment can be brought down if your application's security isn't taken into serious consideration. Information security should ideally start at the application level, before network and OS level security is ensured. To achieve this, security needs to be integrated into the application at the software development phase.
In this session, Dulanja will discuss the following:
The importance of application security - why network and OS security is insufficient.
Challenges in securing your application.
Making security part of the development lifecycle.
IoT is a combination of hardware and software technology that produces trillions of data through connecting multiple devices and sensors with the cloud and making sense of data with intelligent tools
IoT in Healthcare is a heterogeneous computing, wirelessly communicating system of apps and devices that connects patients and health providers to diagnose, monitor, track and store vital statistics and medical information.
NFC, short for Near Field Communication, is a short range wireless RFID technology that makes use of interacting electromagnetic radio fields instead of the typical direct radio transmissions used by technologies such as Bluetooth. It is meant for applications where a physical touch, or close to it, is required in order to maintain security. NFC is planned for use in mobile phones for, among other things, payment, in conjunction with an electronic wallet
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Enterprise mobileapplicationsecurity
1. Security –
Enterprise Mobile
Applications
Venkat Alagarsamy
venkat.alagarsamy@gmail.com
www.linkedin.com/in/VenkatAlagarsamy
www.scribd.com/VenkatAlagarsamy
www.facebook.com/Venkatachalapathi.Alagarsamy
www.slideshare.net/VenkatAlagarsamy
www.twitter.com/TwitsOfVenkat
VenkatAlagarsamy.blogspot.in
Last Updated: 18th Jan 2013
2. Corporate Data Users
• It is a business fact that nearly 60% of all corporate
employees access content through public network
using phones, tablets and other hand-held devices.
• Other than employees, the customers and vendors
too access the corporate database anywhere,
anytime on any device.
• Public
3. Statistics
• 80% of corporate users using the device without
knowing security threats.
• 80% of corporate users using the jail Broken
device
• 70% of users do not have Anti-virus on their device
• 70% is the possibility that the application getting
misused.
• 55% user losing sensitive credentials and
corporate data to a hacker.
4. The Challenge
The rapid adoption of mobile application by the
corporate has created a significant security
challenge because the corporate data is accessed
outside of the firewall/DMZ. So the challenges to
corporate mobile application developers are:
How do I secure mobile application with/without limited
users?
How to secure the application itself?
What is to be developed as mobile application?
How should I provision this application to users?
5. Attacks – Device Based
• Device based attacks
– Misplaced or lost the device
• Unencrypted credentials
• Insecure Storage
• Cached Data
– Malware installation due to down loading unknown
application
• Malicious certificates
• Reconfigure proxy settings or
• Allow man-in-the-middle (MiTM) visibility into every user
transaction.
6. Attacks – Network and
Server Based
• Identity Spoofing (IP address Spoofing)
– Using a special programs attacker would construct IP
packets that appear to originate from valid addresses
inside the corporate intranet.
– After gaining access to the network with a valid IP
address, the attacker can modify, reroute, or delete
data.
• Password Attacks
– Obtain lists of valid user and computer names and
network information.
– Modify server and network configurations, including
7. Attacks – Network and
Server Based
• Denial-of-Service Attack
– Randomize the attention of corporate internal
Information Systems staff so that they do not see the
intrusion immediately, which allows the attacker to make
more attacks during the diversion.
– Send invalid data to applications or network services,
which causes abnormal termination or behavior of the
applications or services.
– Flood a computer or the entire network with traffic until a
shutdown occurs because of the overload.
– Block traffic, which results in a loss of access to network
resources by authorized users.
8. Attacks – Network and
Server Based
• Man-in-the-Middle Attack
– actively monitoring, capturing, and controlling all
communication and re-route a data exchange
• Compromised-key-attack
– By getting the compromised key, the attacker can
decode any secured encrypted data and the use the
data as required.
• Sniffer Attack
– Analyze network and gain information to eventually
cause network to crash or to become corrupted.
– Read transaction/data communications.
9. Attacks – Network and
Server Based
• Application-Layer Attack
An application-layer attack targets application servers by
deliberately causing a fault in a server's operating system
or applications. This results in the attacker gaining the
ability to bypass normal access controls. The attacker takes
advantage of this situation, gaining control of application,
system, or network, and can do any of the following:
– Read, add, delete, or modify data or operating system.
– Introduce a virus program that uses corporate computers
and software applications to copy viruses throughout
corporate network.
– Introduce a sniffer program to analyze network and gain
information that can eventually be used to crash or to
corrupt legacy systems and network.
10. Device Security - Reverse
Engineering
• Understand the logic and application security
weakness
• Look for key words like password, key, SQL and
security logic (AES/DES)
• Modify the code to bi-pass client side checks and
rebuild app
• Send request with altered data pack from modified
apps
• Steps:
Get Executable
Understand the technology
11. Device Security -Reverse
Engineering – Tools Used
OS De-
compress
or
Object -> Class ->
Functions
Editor
Windows Winzip ILSpy Visual
Studio
Notepad
Obfuscator preemptive.com/products/dotfuscato
r/overview
confuser.codeplex.com/
Android Winzip Dex2Jar and JD-GUI Notepad
Obfuscator http://proguard.sourceforge.net/
iOS iExplorer OTool and Class-dump-
z
12. Device Security – Malwares
Malwares (Worms and Trojans) are installed in the
device either by SMS/MMS or by untrusted
application download.
Destroy Operating system
Provide misleading information
Steal data/cookies
Deactivate other trusted applications
Plant spyware to spy calendars, email accounts,
notes etc.
13. Device Security – Malware
Samples
Virus Name OS Symptom, Propagation and Damages
Cabir Symbi
an
Display „Caribe‟ whenever phone is turned on.
Spread to other phone using Bluetooth
Duts Wind
ows
Affect EXE file more than 4KB
Skulls - Trojan Wind
ows
Replace all icons with image of skull.
Commwarrior Symbi
an
Spread by MMS and Bluetooth. Hunt devices
running Bluetooth and send infected files
Gingermaster
- Trojan
Andro
id
Hidden malware. Steal device details and send to
remote server.
DroidKunFu –
Trojan
Andro
id
Gets privileges of root and install com.google and
ssearch.apk, which remove files, open and auto
download of some applications. It also sends
device data to remote server.
14. Device Security – Antivirus
Protection Software
Operating
System
BullGu
ard
Lookou
t
McAfee
ESET
Kasper
sky
Trend
Micro
F-
Secure
Webroo
t
NetQin
Android
Ye
s
Ye
s
Ye
s
Ye
s
Ye
s
Ye
s
Ye
s
Ye
s
Ye
s
Symbian
Ye
s
Ye
s
Ye
s
Ye
s
Ye
s
BlackBerry
Ye
s
Ye
s
Ye
s
Windows
Ye
s
Ye
s
15. Device Security – Some Best
Practices (User)
Download applications from the official application
store only. Otherwise you expose yourself and your
mobile phone software provider does not protect you.
Don‟t jailbreak or root device. If cracked software is
installed you are inheriting a risk.
Install an antivirus. Antivirus protects device against
apps that try to steal data.
Before installing the application, from application store
understand and agree to the application device/data
usage.‟
Disable Bluetooth and other wireless components
when not in use.
16. Device Security – Enterprise
Application Design Practices
Should adhere to corporate password policy
Transfer the data only through SSL or VPN (Use VPN if possible)
Auto disable all unwanted components like Bluetooth when not
required
Make sure there is no memory leakage
Do not store any critical data offline. If required, encrypt data and
store using encrypted database like SQLCipher
Ensure the device is registered for using the application
Ensure the user logged-in is the right user to use the device and
application
Provide Single sign-on
Provide remote-wipe if device lost
Use dynamic key for encryption of in/out data where the key is
controlled by server
Do not use any special characters or SQL, in posting data
17. Network Security
It is an activities designed to protect network for its
Usability
Reliability
Integrity
Safety
From the threats like
Viruses, worms, and Trojan horses
Spyware and adware
Zero-day attacks, also called zero-hour attacks
Denial of service attacks
Data interception and theft
Identity theft
18. Network Security Components
• Multiple layers of security. If one fails, others still
stand.
• Network security is accomplished through
hardware and software. The software must be
constantly updated and managed to protect from
emerging threats.
• Network security components often include:
– Anti-virus and anti-spyware
– Firewall, to block unauthorized access to your network
(DMZ)
– Intrusion prevention systems (IPS), to identify fast-
spreading threats, such as zero-day or zero-hour attacks
19. Attackers – How they do?
• Most popular attacks using
– Reverse Engineering
– Cross site scripting (XSS)
– SQL Injection
20. Cross-site Scripting (XSS
Attack)
• As documented by Symantec 2007, 84%
vulnerability are caused by XSS attacks.
• Cross-Site Scripting (XSS) attacks occur when:
– Data enters a Web application through an untrusted
source, most frequently a web request.
– The data is included in dynamic content that is sent to a
web user without being validated for malicious code
• It is a process of injecting a malicious content in
web page and have the content (usually ActiveX,
JavaScript, VBScript, Applet, Flash, HTML etc)
executed in client browser
– To steal client data.
21. Cross-site Scripting - XSS
Types
• Stored XSS Attacks – Permanently stores injected
code in targeted components like database,
message forum, visitor log, comment field, etc.
• Reflected XSS Attacks – Injected code is reflected
off the web server
– As a response such as error message, search result etc.
– eMail message
When a user is tricked into clicking on a malicious link or
submitting a specially crafted form, the injected code travels to
the vulnerable web server, which reflects the attack back to the
user‟s browser. The browser then executes the code because it
came from a "trusted" server.
22. XSS – Prevention Summary
Data
Type
Conte
xt
Code Sample Defense
Strin
g
HTML
Body
<span>UNTRUSTE
D DATA </span>
•HTML Entity Encoding
Strin
g
Safe
HTML
Attribut
es
<input type=“text”
name=“fname”
value=“UNTRUSTE
D DATA”>
•Aggressive HTML Entity Encoding
•Only place untrusted data into white list of
safe attributes
•Strictly validate unsafe attributes such as
background, id and name
Strin
g
GET
Param
eter
<a
href=“/site/search?v
alue=UNTRUSTED
DATA”> clickme
</a>
URL Encoding String
Strin
Untrus
ted
URL in
a SRC
<a
href="UNTRUSTED
URL">clickme</a>
•Cannonicalize input
•URL Validation
•Safe URL verification
•Whitelist http and https URL's only (Avoid
Source:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Pre
vention_Rules_Summary
23. XSS – Prevention Summary
(Contd…) Source:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Pre
vention_Rules_Summary
Data
Type
Conte
xt
Code Sample Defense
Strin
g
CSS
Value
<div
style="width: UNTRU
STED
DATA;">Selection</di
v>
•Strict structural validation
•CSS Hex encoding
•Good design of CSS Features
Strin
g
JavaS
cript
Variab
le
<script>var
currentValue='UNTR
USTED
DATA';</script>
<script>someFunctio
n('UNTRUSTED
DATA');</script>
•Ensure JavaScript variables are quoted
•JavaScript Hex Encoding
•JavaScript Unicode Encoding
•Avoid backslash encoding (" or ' or )
HTM
L
HTML
Body
<div>UNTRUSTED
HTML</div>
•HTML Validation (JSoup, AntiSamy, HTML
Sanitizer)
Strin DOM
<script>document.wri
te("UNTRUSTED
24. XSS Prevention – Output
Encoding
Source:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Pre
vention_Rules_SummaryEncoding
Type
Encoding Mechanism
HTML Entity
Encoding
Convert & to &
Convert < to <
Convert > to >
Convert " to "
Convert ' to '
Convert / to /
HTML
Attribute
Encoding
Except for alphanumeric characters, escape all characters with
the HTML Entity &#xHH; format, including spaces. (HH = Hex
Value)
URL
Encoding
Standard percent encoding, see:
http://www.w3schools.com/tags/ref_urlencode.asp
JavaScript
Encoding
Except for alphanumeric characters, escape all characters with
the uXXXX unicode escaping format (X = Integer).
CSS escaping supports XX and XXXXXX. Using a two
character escape can cause problems if the next character
25. XSS Prevention – Testing
Tools
• Commercial License:
o Veracode Dynamic Scanner
o Whitehat
o HP WebInspect
o Cenzic Hailstorm
o IBM AppScan
o NTOSpider
o Qualys
o Burp Professional
• Free/Open Source:
o W3af
o XSS-Me and Access-Me
o OWASP ZAP
o Skipfish
o Wfuzz
o Reference for more tools :
26. SQL Injection
• SQL Injection Attack (SQLIA) is the one of the top
10 vulnerability, identified by OWASP.
• It is a insertion of a SQL in posted request from
client application to server.
• By injecting SQL, the attacker can
– Read sensitive database
– Modify (insert/update/delete) database
– Execute admin operations
– Alter DB structure
– Bi-pass user authentication
28. Prevention of SQL Injection –
Primary Defense
Prepare Statements (Parameterized Queries) –
Attacker can not change the intent of a query.
Recommendations
Java EE – use PreparedStatement() with bind variables
.NET – use parameterized queries like SqlCommand() or OleDbCommand() with
bind variables
PHP – use PDO with strongly typed parameterized queries (using bindParam())
Hibernate - use createQuery() with bind variables (called named parameters in
Hibernate)
SQLite - use sqlite3_prepare() to create a statement object
Stored Procedures – Same like Prepare Statement
Escaping All User Supplied Input
Reference
OWASP: https://www.owasp.org/index.php/ESAPI
Google: http://owasp-esapi-
29. Prevention of SQL Injection –
Additional Defense
Least Privilege
White list Input Validation
Reference:
http://ferruh.mavituna.com/sql-injection-
cheatsheet-oku/
https://www.owasp.org/index.php/Input_Validation
_Cheat_Sheet
31. Architectural and
Development consideration
Validate the Device Registration from Server
Always use VPN (at least SSL) network for communication
Encrypt the critical data in both ends
Use Dynamic Encryption keys. A Encryption key should be used for only
one communication and it should have automatic expiry.
The key should have some complex generation logic.
Do not store entire initial complete encryption key in device. i.e., a complete
key should be generated based on partial key.
Do no cache, store data. Do not create any cookies
Disable all network components that are not used by the application
Enforce password policy
Enable single sign-on using servers like LDAP
Disable client-scripting
Do not keep any SQL in client side
If necessary, to store offline data, use encrypted DB like SQLCipher
Always validate the both input and output data for its format and canonical
32. Conclusion
The security of mobile application should be ensured at all
levels and by all players
Application/service providers
Organization
Device providers
Registries
Data Centers/Cloud Services
Government
CERTs
Users
All players in this ecosystem must apply the basic rules for
effective security
Coordination
Communication and