Het certificatie project NEN7510 ISO27001 voor informatiebeveiliging - NEN 75...Ad Voets
Voor informatiebeveiliging met NEN 7510 - ISO 27001.
Zie WWW.META-AUDIT.NL
Snel een certificeerbaar managementsysteem voor ISO27001 en NEN7510 obv een digitaal managementsysteem met voorbeelddocumenten
Code by the sea: Web Application SecurityBoy Baukema
A three-for-one of short talks on Web Application Security.
First, are you secure? What is secure anyway? How can you be sure? Wouldn't it be nice if there was some kind of checklist you could show when someone asks you these questions? Fortunately several security specialists at the Open Web Application Security Project (OWASP) thought so too and created just such a list, called Application Security Verification Standard (ASVS). We'll look at what it is and how you can use it.
Next we will discuss the Dutch Meldplicht Datalekken that came into effect on the first of January this year and what it means for you as a software developer.
Finally we'll wrap up with a quick overview of the OWASP Top 10 and less obvious vulnerabilities that might be lurking in your codebases.
https://www.meetup.com/Code-by-the-sea/events/234264535/
Web Application Security: The Land that Information Security ForgotJeremiah Grossman
Web Application Security: The Land that Information Security Forgot
Today, the vast majority of those within information security have heard about web application security and posses at least a vague understanding of the risks involved. However, the multitude of attacks which make this area of security important, for the most part, go undocumented, unexplained and misunderstood. As a result, our web applications become undefended and at the mercy of a determined attacker. In order to gain a deeper understanding of the threats, witnessing these attacks first hand is essential.
Make no mistake, insecure and unprotected web applications are the fastest, easiest, and arguably the most utilized route to compromise networks and exploit users. What's worse is that conventional security measures lack the proper safeguards and offer little protection, resulting in nothing more than a "false sense of security".
This discussion will cover theory surrounding some of the more dangerous web application attacks, examples of the attack in action, and possible countermeasures.
Founder and chairman of WhiteHat Security, and former information security officer with Yahoo!. As information security officer at Yahoo!, Jeremiah was designing, auditing, and penetration-testing the huge company's web applications which demand highest security.
During his past 5 years of employment, Jeremiah has been researching and applying information security with special emphasis on prevention of web application sabotage. Grossman has presented "Web Application Security" talks at many security conventions such as the Defcon, Air Force and Technology Conference, ToorCon, and others.
Jeremiah is a lead contributor to the "Open Web Application Security Project" www.owasp.com and considered to be among the foremost web security experts.
This seminar would introduce one to WPF and the required information to start developing WPF applications. Also discussions about XAML and related concepts would be done as well.
The Agenda for the session includes -
- Introducing WPF.
- Understanding WPF architecture.
- Important features of WPF.
- Types of WPF application.
- Introducing XAML.
- Understanding when to use WPF.
Vulnerability Management In An Application Security WorldDenim Group
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities.
This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups.
From the OWASP Washington DC meeting August 5, 2009.
Introduction to Web Application Penetration TestingAnurag Srivastava
Web Application Pentesting
* Process to check and penetrate the security of a web application or a website
* process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities
* Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.
Het certificatie project NEN7510 ISO27001 voor informatiebeveiliging - NEN 75...Ad Voets
Voor informatiebeveiliging met NEN 7510 - ISO 27001.
Zie WWW.META-AUDIT.NL
Snel een certificeerbaar managementsysteem voor ISO27001 en NEN7510 obv een digitaal managementsysteem met voorbeelddocumenten
Code by the sea: Web Application SecurityBoy Baukema
A three-for-one of short talks on Web Application Security.
First, are you secure? What is secure anyway? How can you be sure? Wouldn't it be nice if there was some kind of checklist you could show when someone asks you these questions? Fortunately several security specialists at the Open Web Application Security Project (OWASP) thought so too and created just such a list, called Application Security Verification Standard (ASVS). We'll look at what it is and how you can use it.
Next we will discuss the Dutch Meldplicht Datalekken that came into effect on the first of January this year and what it means for you as a software developer.
Finally we'll wrap up with a quick overview of the OWASP Top 10 and less obvious vulnerabilities that might be lurking in your codebases.
https://www.meetup.com/Code-by-the-sea/events/234264535/
Web Application Security: The Land that Information Security ForgotJeremiah Grossman
Web Application Security: The Land that Information Security Forgot
Today, the vast majority of those within information security have heard about web application security and posses at least a vague understanding of the risks involved. However, the multitude of attacks which make this area of security important, for the most part, go undocumented, unexplained and misunderstood. As a result, our web applications become undefended and at the mercy of a determined attacker. In order to gain a deeper understanding of the threats, witnessing these attacks first hand is essential.
Make no mistake, insecure and unprotected web applications are the fastest, easiest, and arguably the most utilized route to compromise networks and exploit users. What's worse is that conventional security measures lack the proper safeguards and offer little protection, resulting in nothing more than a "false sense of security".
This discussion will cover theory surrounding some of the more dangerous web application attacks, examples of the attack in action, and possible countermeasures.
Founder and chairman of WhiteHat Security, and former information security officer with Yahoo!. As information security officer at Yahoo!, Jeremiah was designing, auditing, and penetration-testing the huge company's web applications which demand highest security.
During his past 5 years of employment, Jeremiah has been researching and applying information security with special emphasis on prevention of web application sabotage. Grossman has presented "Web Application Security" talks at many security conventions such as the Defcon, Air Force and Technology Conference, ToorCon, and others.
Jeremiah is a lead contributor to the "Open Web Application Security Project" www.owasp.com and considered to be among the foremost web security experts.
This seminar would introduce one to WPF and the required information to start developing WPF applications. Also discussions about XAML and related concepts would be done as well.
The Agenda for the session includes -
- Introducing WPF.
- Understanding WPF architecture.
- Important features of WPF.
- Types of WPF application.
- Introducing XAML.
- Understanding when to use WPF.
Vulnerability Management In An Application Security WorldDenim Group
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities.
This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups.
From the OWASP Washington DC meeting August 5, 2009.
Introduction to Web Application Penetration TestingAnurag Srivastava
Web Application Pentesting
* Process to check and penetrate the security of a web application or a website
* process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities
* Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
Join Cenzic’s Chris Harget for an overview of the essentials of Web Application Security, including the risks, practices and tools that improve security at every stage of the application lifecycle.
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks.
This is the version modified for the OWASP meeting in June of 2014.
A presentation+class delivered to a PHP developer group at Brown University that discussed Web Application Security with a heavy emphasis on PHP, and discussed security in the SDLC, and showed with some examples what to do and not do
Hardening Microservices Security: Building a Layered Defense StrategyCloudflare
Microservices architecture is forcing developers to not only rethink how they design and develop applications, but also common security assumptions and practices.
With the decomposition of traditional applications, each microservice instance represents a unique network endpoint, creating a distributed attack surface that is no longer limited to a few isolated servers or IP addresses.
In this presention, we will review:
-How microservices differ from SOA or monolithic architectures
-Best practices for adopting and deploying secure microservices for production use
-Avoiding continuous delivery of new vulnerabilities
-Limiting attack vectors on a growing number of API endpoints
-Protecting Internet-facing services from resource exhaustion
Link reclamation for quick SEO wins. Redirects, mentions of your company, products, or people, outreach, Google alerts, images, quotes, statistics and more are great ways to reclaim lost links.
From redirects to insecure content to duplicate content, everyone screws up https. Even top-tier developers get this wrong, and the results can be devastating.
Learn how to secure your website without losing your rankings and become more trustworthy in the eyes of your visitors.
Latest Trends in Web Application SecurityCloudflare
Hear the talk on YouTube: https://www.youtube.com/watch?v=lp4dQTSH130
Web Application Firewall security is evolving. Join John Graham-Cumming, CTO of CloudFlare, as he shares the latest trends and changes in Web Application Security. This talk will give details of the big trends in web application security seen in 2015, and how to defend against these threats and talk about the evolving web application security landscape.
Présentation de la technologie d'aggrégation de liens sous Cisco.
Fonctionnement, Protocoles PaGP et LACP, Configuration sur les switchs Cisco Catalyst
Routing and switching essentials companion guide
By Cisco Networking Academy
Published Feb 18, 2014 by Cisco Press. Part of the Companion Guide series.
Get ready for a night of security horror! Together we'll look at some of the scariest horror stories from fiction and application security.
From The Shining to data breaches and from Saw to ransomware. Horror stories entertain us and sometimes even teach us something about bad decision making.
Tonight we'll not only look at some entertaining stories but highlight where they went wrong and what they should've done instead and together we'll learn more about defending against horrors.
Scaring you tonight will be Boy Baukema, Senior Application Security Consultant at Veracode. He is a developer with 15+ years of software development experience and subject matter expert in application security. He provides consultative services to Veracode customers including large companies in sectors like financial services. He works with security teams and developers in 40+ programming languages to secure software.
Review of history of JavaScript, what Veracode does and does not support, a little game of Pokemon or JavaScript library and finally learning the basics of JavaScript and TamperMonkey to change webapps.
Verifying Drupal modules with OWASP ASVS 2014Boy Baukema
During this workshop we'll be going more in-depth into how to audit a Drupal site. We'll be using OWASP ASVS 2014 and a Drupal 7 site which participants will have to prove to be vulnerable.
During this interactive workshop we'll be discussing and demonstrating basic and advanced examples of the following vulnerabilities:
Injection of various kinds (JavaScript, HTML, SQL, XML, etc)
Missing Authentication or Authorization
Cross Site Request Forgery (CSRF)
Denial of Service
Abuse of functionality
Information Leakage
and more.
A laptop with VirtualBox installed is advised.
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
Join Cenzic’s Chris Harget for an overview of the essentials of Web Application Security, including the risks, practices and tools that improve security at every stage of the application lifecycle.
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks.
This is the version modified for the OWASP meeting in June of 2014.
A presentation+class delivered to a PHP developer group at Brown University that discussed Web Application Security with a heavy emphasis on PHP, and discussed security in the SDLC, and showed with some examples what to do and not do
Hardening Microservices Security: Building a Layered Defense StrategyCloudflare
Microservices architecture is forcing developers to not only rethink how they design and develop applications, but also common security assumptions and practices.
With the decomposition of traditional applications, each microservice instance represents a unique network endpoint, creating a distributed attack surface that is no longer limited to a few isolated servers or IP addresses.
In this presention, we will review:
-How microservices differ from SOA or monolithic architectures
-Best practices for adopting and deploying secure microservices for production use
-Avoiding continuous delivery of new vulnerabilities
-Limiting attack vectors on a growing number of API endpoints
-Protecting Internet-facing services from resource exhaustion
Link reclamation for quick SEO wins. Redirects, mentions of your company, products, or people, outreach, Google alerts, images, quotes, statistics and more are great ways to reclaim lost links.
From redirects to insecure content to duplicate content, everyone screws up https. Even top-tier developers get this wrong, and the results can be devastating.
Learn how to secure your website without losing your rankings and become more trustworthy in the eyes of your visitors.
Latest Trends in Web Application SecurityCloudflare
Hear the talk on YouTube: https://www.youtube.com/watch?v=lp4dQTSH130
Web Application Firewall security is evolving. Join John Graham-Cumming, CTO of CloudFlare, as he shares the latest trends and changes in Web Application Security. This talk will give details of the big trends in web application security seen in 2015, and how to defend against these threats and talk about the evolving web application security landscape.
Présentation de la technologie d'aggrégation de liens sous Cisco.
Fonctionnement, Protocoles PaGP et LACP, Configuration sur les switchs Cisco Catalyst
Routing and switching essentials companion guide
By Cisco Networking Academy
Published Feb 18, 2014 by Cisco Press. Part of the Companion Guide series.
Get ready for a night of security horror! Together we'll look at some of the scariest horror stories from fiction and application security.
From The Shining to data breaches and from Saw to ransomware. Horror stories entertain us and sometimes even teach us something about bad decision making.
Tonight we'll not only look at some entertaining stories but highlight where they went wrong and what they should've done instead and together we'll learn more about defending against horrors.
Scaring you tonight will be Boy Baukema, Senior Application Security Consultant at Veracode. He is a developer with 15+ years of software development experience and subject matter expert in application security. He provides consultative services to Veracode customers including large companies in sectors like financial services. He works with security teams and developers in 40+ programming languages to secure software.
Review of history of JavaScript, what Veracode does and does not support, a little game of Pokemon or JavaScript library and finally learning the basics of JavaScript and TamperMonkey to change webapps.
Verifying Drupal modules with OWASP ASVS 2014Boy Baukema
During this workshop we'll be going more in-depth into how to audit a Drupal site. We'll be using OWASP ASVS 2014 and a Drupal 7 site which participants will have to prove to be vulnerable.
During this interactive workshop we'll be discussing and demonstrating basic and advanced examples of the following vulnerabilities:
Injection of various kinds (JavaScript, HTML, SQL, XML, etc)
Missing Authentication or Authorization
Cross Site Request Forgery (CSRF)
Denial of Service
Abuse of functionality
Information Leakage
and more.
A laptop with VirtualBox installed is advised.
Drupalgeddon, Heartbleed, Shellshock, a million visitors a month, painting a large target for hackers.
But fast paced Dutch news site rtlnieuws.nl is still standing. Want to find out why?
In this presentation I will discuss why it's important to bake security into your process. Come to learn more about:
Defining security requirements up front and clearly with a customer
How and where to learn more about security - A quick run through of the most common vulnerabilities and their prevention like:
Injection of various kinds (JavaScript, HTML, SQL, XML, etc)
Missing Authentication or Authorization
Cross Site Request Forgery (CSRF)
Verifying that you have met your security goals at the end
Maintaining security even in the face of (inevitable) third party vulnerabilities
You'll leave this presentation with a clear plan to define and exceed your own or your customers security requirements.
13. Controls in Annex A
• A.5.1.1. Ten behoeve van informatiebeveiliging moet een
reeks beleidsregels worden gedefinieerd, goedgekeurd
door de directie, gepubliceerd en gecommuniceerd aan
medewerkers en relevante externe partijen.
• A8.1.1. Informatie, andere bedrijfsmiddelen die
samenhangen met informatie en informatieverwerkende
faciliteiten moeten worden geïdentificeerd, en van deze
bedrijfsmiddelen moet een inventaris worden opgesteld en
onderhouden.
14. Controls in Annex A
• A.11.1.6 Laad- en loslocatie
Beheersmaatregel
Toegangspunten zoals laad- en loslocaties en andere
punten waar onbevoegde personen het terrein kunnen
betreden, moeten worden beheerst, en zo mogelijk worden
afgeschermd van informatieverwerkende faciliteiten om
onbevoegde toegang te vermijden.