Security? It's simple. We have Security Team... Security of our environment, application, development it's their security. We follow Best Practices, we implementing their's suggestions (or not...).
But maybe today, in June 2018, where GDPR is a fact, we should look a little bit more in details for the security aspects. Well know and less known risks, vulnerability assessments, secure coding, secure testing,
Let's discuss: SEC/DEV/OPS/SDLC/OSSTMM/OWASP/ITIL and few other acronyms. Use freely available knowledge and specially prepared environment to check and test our security before we touch out Visual Studio, PowerShell, CLI, Visual Studio Code, or even JSON. Be #SecureByDesign
The document discusses various techniques for exploiting web applications, beginning with older techniques like exploiting default admin paths, uploading web shells, and SQL injection, and progressing to more modern attacks against content management systems and frameworks. It provides examples of each technique and emphasizes exploiting vulnerabilities like file inclusion and stored procedures to achieve remote code execution. The instructor profile indicates extensive security experience and certifications. The organization Secure D Center is introduced as focusing on cybersecurity services across Southeast Asia.
This document outlines various mobile application security vulnerabilities and methods for assessing mobile application security. It discusses insecure network protocols, cryptographic weaknesses, privacy issues related to data storage, authentication and session management vulnerabilities, environmental interaction risks, and challenges of securing mobile applications against reverse engineering. It provides examples of specific vulnerabilities discovered in mobile applications and frameworks. The document promotes applying a defense-in-depth approach to mobile application security based on the OWASP Mobile Application Security Verification Standard (MASVS).
The document discusses application security testing (AppSec), which involves analyzing applications for security vulnerabilities at different stages of the software development lifecycle. It describes different types of application security testing like static AST, dynamic AST, interactive AST, and software composition analysis. The document also outlines core focus areas of AppSec like infrastructure as code testing, container security, and fuzz testing. It notes evolving focus areas like API testing and cloud-native support to keep pace with modern application development.
OWASP Top 10 Most Critical Web Application Security Risks
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications minimize these risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code. More info at: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
The document discusses the Mobile Application Security Verification Standard (MASVS) project from OWASP. It provides an overview of the MASVS levels and describes the eight verification requirements areas: 1) Architecture, Design and Threat Modeling; 2) Data Storage and Privacy; 3) Cryptography; 4) Authentication and Session Management; 5) Network Communication; 6) Platform Interaction; 7) Code Quality and Build Setting; and 8) Resilience. Each verification requirement area includes example requirements and references related information. The goal of MASVS is to provide a standard way to verify the security of mobile apps and help developers build more secure apps.
Pactera - Cloud, Application, Cyber Security Trend 2016Kyle Lai
This document summarizes cybersecurity trends from surveys conducted in 2016. It finds that 38% of organizations have a maturing application security program, while 41% cited public-facing web applications as the leading cause of breaches. Regarding cloud security, 79% of respondents are implementing or using cloud environments actively, with infrastructure as a service being the most popular service. The document also introduces Pactera's cybersecurity services capabilities, which include application security testing, secure development training, and third-party risk management.
The session will provide the risk of insecure mobile application development in various types with demonstration; Client-side, Communication channel and Server side. The presentation includes case study of insecure development practice which lead attacker to abuse the vulnerable application (e.g. Coin/Gem cheating on gaming app, Bypassing security control on client-side and server-side).
The document discusses various techniques for exploiting web applications, beginning with older techniques like exploiting default admin paths, uploading web shells, and SQL injection, and progressing to more modern attacks against content management systems and frameworks. It provides examples of each technique and emphasizes exploiting vulnerabilities like file inclusion and stored procedures to achieve remote code execution. The instructor profile indicates extensive security experience and certifications. The organization Secure D Center is introduced as focusing on cybersecurity services across Southeast Asia.
This document outlines various mobile application security vulnerabilities and methods for assessing mobile application security. It discusses insecure network protocols, cryptographic weaknesses, privacy issues related to data storage, authentication and session management vulnerabilities, environmental interaction risks, and challenges of securing mobile applications against reverse engineering. It provides examples of specific vulnerabilities discovered in mobile applications and frameworks. The document promotes applying a defense-in-depth approach to mobile application security based on the OWASP Mobile Application Security Verification Standard (MASVS).
The document discusses application security testing (AppSec), which involves analyzing applications for security vulnerabilities at different stages of the software development lifecycle. It describes different types of application security testing like static AST, dynamic AST, interactive AST, and software composition analysis. The document also outlines core focus areas of AppSec like infrastructure as code testing, container security, and fuzz testing. It notes evolving focus areas like API testing and cloud-native support to keep pace with modern application development.
OWASP Top 10 Most Critical Web Application Security Risks
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications minimize these risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code. More info at: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
The document discusses the Mobile Application Security Verification Standard (MASVS) project from OWASP. It provides an overview of the MASVS levels and describes the eight verification requirements areas: 1) Architecture, Design and Threat Modeling; 2) Data Storage and Privacy; 3) Cryptography; 4) Authentication and Session Management; 5) Network Communication; 6) Platform Interaction; 7) Code Quality and Build Setting; and 8) Resilience. Each verification requirement area includes example requirements and references related information. The goal of MASVS is to provide a standard way to verify the security of mobile apps and help developers build more secure apps.
Pactera - Cloud, Application, Cyber Security Trend 2016Kyle Lai
This document summarizes cybersecurity trends from surveys conducted in 2016. It finds that 38% of organizations have a maturing application security program, while 41% cited public-facing web applications as the leading cause of breaches. Regarding cloud security, 79% of respondents are implementing or using cloud environments actively, with infrastructure as a service being the most popular service. The document also introduces Pactera's cybersecurity services capabilities, which include application security testing, secure development training, and third-party risk management.
The session will provide the risk of insecure mobile application development in various types with demonstration; Client-side, Communication channel and Server side. The presentation includes case study of insecure development practice which lead attacker to abuse the vulnerable application (e.g. Coin/Gem cheating on gaming app, Bypassing security control on client-side and server-side).
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Sounil Yu
The Cyber Defense Matrix enables organizations to define clear categories for the range of products and services that are available in the marketplace to solve our various infosec problems. This model removes confusion around the security technologies that we buy and helps organizations align their vendors to have the right suite of capabilities to execute their information security mission.
See the 2019 version at: http://bit.ly/cyberdefensematrixreloaded
See the 2022 version at: http://bit.ly/cyberdefensematrixrevolutions
Prathan Phongthiproek, a manager at KPMG Thailand, gave a presentation on mobile application attacks at the Cyber Defense Initiative Conference (CDIC) 2016. The presentation covered various attack vectors for both Android and iOS applications, including user input attacks, abusing application components, insecure data storage, manipulating binary and storage files, bypassing root/jailbreak detection, and intercepting network traffic. For each attack vector, the presentation estimated the potential damage level and threat level. The goal was to help organizations better understand mobile application security risks and implement proper countermeasures.
Understanding the Cyber Security Vendor LandscapeSounil Yu
We are often inundated with vendors offering their products and services to solve our various information security problems. How can you make sense of the wide range of technologies and ensure that your control gaps are being covered? Where are opportunities for technology disruption? Where are you overly reliant on technology? This is a framework for understanding security technologies so that you can align vendors in the right bucket to ensure that you have the suite of technologies that you need to execute your information security mission.
Application Security Guide for Beginners Checkmarx
The document provides an overview of application security concepts and terms for beginners. It defines key terms like the software development lifecycle (SDLC) and secure SDLC, which incorporates security best practices into each stage of development. It also describes common application security testing methods like static application security testing (SAST) and dynamic application security testing (DAST). Finally, it outlines some common application security threats like SQL injection, cross-site scripting, and cross-site request forgery and their potential impacts.
The document summarizes a presentation on advanced mobile penetration testing. It discusses attacking three surfaces: the client software on mobile devices, the communications channel, and server-side infrastructure. It provides examples of exploiting iOS and Android applications, such as decompiling code, intercepting traffic with proxies, and accessing embedded data and databases. The presentation emphasizes fast, hands-on techniques and tools for assessing mobile application security.
This document provides guidelines for elementary information security practices for organizations. It discusses basic steps organizations can take to improve security without spending much money. The guidelines are divided into sections on basic security, web application security, network/host security, and include recommendations such as using strong passwords, encrypting sensitive data, updating software regularly, conducting security awareness training, and closing unnecessary network ports. The overall aim is to help organizations identify and address common security mistakes and vulnerabilities.
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecuritySounil Yu
We are rapidly approaching the next era of security where we need to be focused on the ability to recover from irrecoverable attacks. This can also be defined as resiliency. The traditional view of resiliency attempts to quickly restore assets that support services that we care about. This new approach/paradigm looks at resilience in ways that promote design patterns (distributed, immutable, ephemeral) where we do not care about a given asset at all while still keeping the overall service functioning. This new approach allows us to avoid having to deal with security at all.
Tomorrow Starts Here - Security Everywhere Cisco Canada
The document discusses Cisco's security solutions and services. Some key points:
- Cisco conducts a large amount of threat intelligence gathering from network traffic and other sources.
- Cisco offers a range of security products including next-generation firewalls, advanced malware protection, and threat defense.
- Cisco provides managed threat defense services where security experts monitor customer networks and respond to threats.
Are existing compliance requirements sufficient to prevent data breaches? This session will provide a technical assessment of the 2019 Capital One data breach, illustrating the technical modus operandi of the attack and identify related compliance requirements based on the NIST Cybersecurity Framework. Attendees will learn the unexpected impact of corporate culture on overall cyber security posture.
This talk was presented at RSA Conference 2021 (Session RMG-T15) on May 18, 2021.
Original paper available for download at SSRN: Novaes Neto, Nelson and Madnick, Stuart E. and Moraes G. de Paula, Anchises and Malara Borges, Natasha, A Case Study of the Capital One Data Breach (28/04/2020). https://ssrn.com/abstract=3570138
Stop Account Takeover Attacks, Right in their TracksImperva
During every hour of every day, cyber criminals silently bypass traditional perimeter controls. They use millions of stolen user credentials to takeover Web application accounts, access sensitive applications, steal confidential data, and conduct fraudulent transactions. According to the latest Verizon DBIR report, over 50% of Web application attacks launched by organized crime in 2014 involved stolen credentials.
View this presentation to learn why real-time threat intelligence is the key to preventing Web account takeover attacks.
Lessons Learned in Automated Decision Making / How to Delay Building SkynetSounil Yu
There is much talk of topics like artificial intelligence, machine learning, and automation within the security industry. We are led to believe that these capabilities will revolutionize our security practices. However, we need to be conscious of the limits of these capabilities before we entrust them with matters of importance. To understand the limits, we need to understand what each of these capabilities really mean and how they fit together. Unfortunately, most people combine these capabilities and use the terms almost interchangeably. Doing so is dangerous and can create unintended consequences.
“Verify and never trust”: The Zero Trust Model of information securityAhmed Banafa
The Zero Trust Model of information security assumes there are no trusted interfaces, applications, traffic, networks or users. It was developed by John Kindervag as an evolution from the old "trust but verify" model, since recent breaches have shown that trusting without verifying is risky. The Zero Trust Model has three key concepts - ensure all resources are accessed securely regardless of location, adopt a least privilege strategy and strictly enforce access control, and inspect and log all traffic. It also shifts the primary attack vector from outside-in to inside-out, as internal users accessing external sites can now be just as vulnerable as external users. Implementing the Zero Trust Model involves steps like updating firewalls, establishing protected enclaves, and deploy
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...Nicolas Beyer
This document summarizes the cyber security market opportunity. It notes that the total cyber security market size was $31.5 billion in 2013 and is expected to grow 8.8% annually. It identifies several trends driving growth, such as the digital economy, need for holistic approaches, and focus on data security. It also outlines market segments, players, and growth opportunities and challenges for both security services and software providers.
Robert Hurlbut - Threat Modeling for Secure Software Designcentralohioissa
The document discusses threat modeling as a process for secure software design. It begins with an introduction of the speaker, Robert Hurlbut, and his background. The presentation then discusses how threat modeling helps bridge gaps between different security roles and fits within the software development lifecycle. Key aspects of threat modeling covered include understanding the system, identifying potential threats, determining mitigations and risks. The document provides examples and questions to guide the threat modeling process.
The document discusses security testing and the OWASP Top 10. It provides an overview of each of the top 10 vulnerabilities according to the OWASP 2017 list, including injection, broken authentication, sensitive data exposure, XML external entities, broken access control, and security misconfiguration. For each vulnerability, it describes how to identify if an application is vulnerable and how to prevent the vulnerability. It includes examples of each vulnerability type through short code demonstrations.
MDR-SOC is a cybersecurity framework services | Ampcus IncUnified11
MDR-SOC is high performance, scalable, and uses Apache Metron as its base platform with C/C++ and Python as its core components. It indexes and searches log and other data in near real-time.
The document outlines an information security workshop presentation on the scope and importance of information security. It discusses 10 key domains of information security knowledge including access control, application security, risk management, cryptography, operations security, physical security, security architecture, telecommunications, and networks. The presenter has 10 years of IT consulting experience and various security certifications. The goals are to raise awareness of information security and the need for regional cooperation such as a Pacific Computer Emergency Response Team.
Cybersecurity frameworks globally and saudi arabiaFaysal Ghauri
My second paper on Cybersecurity frameworks and how Saudi Arabia is forming. This paper has been published by the International Journal of Computer Science and Information Security (IJCSIS) in April 2021, Vol. 19 No. 4 Publication.
Slides from data MindsConnect 2018 Conference hosted at Ghelamnco Arena in Ghent by Belgian SQL Server USer Grup. SECDev(OPS) How to embrace your security.
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!ITCamp
This document contains the agenda and slides for a presentation on SQL Server security. The presentation covers security foundations for database administrators (DBAs), well-known risk factors from OSSTMM and OWASP, SQL Server security best practices, security enhancements in SQL Server 2014, 2016, and 2017, SQL Server security in the cloud, DBA security, and risk management for DBAs. The slides define key security concepts, categorize security realms, outline the OSSTMM and OWASP top 10 risks, and describe various SQL Server security features and configurations.
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Sounil Yu
The Cyber Defense Matrix enables organizations to define clear categories for the range of products and services that are available in the marketplace to solve our various infosec problems. This model removes confusion around the security technologies that we buy and helps organizations align their vendors to have the right suite of capabilities to execute their information security mission.
See the 2019 version at: http://bit.ly/cyberdefensematrixreloaded
See the 2022 version at: http://bit.ly/cyberdefensematrixrevolutions
Prathan Phongthiproek, a manager at KPMG Thailand, gave a presentation on mobile application attacks at the Cyber Defense Initiative Conference (CDIC) 2016. The presentation covered various attack vectors for both Android and iOS applications, including user input attacks, abusing application components, insecure data storage, manipulating binary and storage files, bypassing root/jailbreak detection, and intercepting network traffic. For each attack vector, the presentation estimated the potential damage level and threat level. The goal was to help organizations better understand mobile application security risks and implement proper countermeasures.
Understanding the Cyber Security Vendor LandscapeSounil Yu
We are often inundated with vendors offering their products and services to solve our various information security problems. How can you make sense of the wide range of technologies and ensure that your control gaps are being covered? Where are opportunities for technology disruption? Where are you overly reliant on technology? This is a framework for understanding security technologies so that you can align vendors in the right bucket to ensure that you have the suite of technologies that you need to execute your information security mission.
Application Security Guide for Beginners Checkmarx
The document provides an overview of application security concepts and terms for beginners. It defines key terms like the software development lifecycle (SDLC) and secure SDLC, which incorporates security best practices into each stage of development. It also describes common application security testing methods like static application security testing (SAST) and dynamic application security testing (DAST). Finally, it outlines some common application security threats like SQL injection, cross-site scripting, and cross-site request forgery and their potential impacts.
The document summarizes a presentation on advanced mobile penetration testing. It discusses attacking three surfaces: the client software on mobile devices, the communications channel, and server-side infrastructure. It provides examples of exploiting iOS and Android applications, such as decompiling code, intercepting traffic with proxies, and accessing embedded data and databases. The presentation emphasizes fast, hands-on techniques and tools for assessing mobile application security.
This document provides guidelines for elementary information security practices for organizations. It discusses basic steps organizations can take to improve security without spending much money. The guidelines are divided into sections on basic security, web application security, network/host security, and include recommendations such as using strong passwords, encrypting sensitive data, updating software regularly, conducting security awareness training, and closing unnecessary network ports. The overall aim is to help organizations identify and address common security mistakes and vulnerabilities.
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecuritySounil Yu
We are rapidly approaching the next era of security where we need to be focused on the ability to recover from irrecoverable attacks. This can also be defined as resiliency. The traditional view of resiliency attempts to quickly restore assets that support services that we care about. This new approach/paradigm looks at resilience in ways that promote design patterns (distributed, immutable, ephemeral) where we do not care about a given asset at all while still keeping the overall service functioning. This new approach allows us to avoid having to deal with security at all.
Tomorrow Starts Here - Security Everywhere Cisco Canada
The document discusses Cisco's security solutions and services. Some key points:
- Cisco conducts a large amount of threat intelligence gathering from network traffic and other sources.
- Cisco offers a range of security products including next-generation firewalls, advanced malware protection, and threat defense.
- Cisco provides managed threat defense services where security experts monitor customer networks and respond to threats.
Are existing compliance requirements sufficient to prevent data breaches? This session will provide a technical assessment of the 2019 Capital One data breach, illustrating the technical modus operandi of the attack and identify related compliance requirements based on the NIST Cybersecurity Framework. Attendees will learn the unexpected impact of corporate culture on overall cyber security posture.
This talk was presented at RSA Conference 2021 (Session RMG-T15) on May 18, 2021.
Original paper available for download at SSRN: Novaes Neto, Nelson and Madnick, Stuart E. and Moraes G. de Paula, Anchises and Malara Borges, Natasha, A Case Study of the Capital One Data Breach (28/04/2020). https://ssrn.com/abstract=3570138
Stop Account Takeover Attacks, Right in their TracksImperva
During every hour of every day, cyber criminals silently bypass traditional perimeter controls. They use millions of stolen user credentials to takeover Web application accounts, access sensitive applications, steal confidential data, and conduct fraudulent transactions. According to the latest Verizon DBIR report, over 50% of Web application attacks launched by organized crime in 2014 involved stolen credentials.
View this presentation to learn why real-time threat intelligence is the key to preventing Web account takeover attacks.
Lessons Learned in Automated Decision Making / How to Delay Building SkynetSounil Yu
There is much talk of topics like artificial intelligence, machine learning, and automation within the security industry. We are led to believe that these capabilities will revolutionize our security practices. However, we need to be conscious of the limits of these capabilities before we entrust them with matters of importance. To understand the limits, we need to understand what each of these capabilities really mean and how they fit together. Unfortunately, most people combine these capabilities and use the terms almost interchangeably. Doing so is dangerous and can create unintended consequences.
“Verify and never trust”: The Zero Trust Model of information securityAhmed Banafa
The Zero Trust Model of information security assumes there are no trusted interfaces, applications, traffic, networks or users. It was developed by John Kindervag as an evolution from the old "trust but verify" model, since recent breaches have shown that trusting without verifying is risky. The Zero Trust Model has three key concepts - ensure all resources are accessed securely regardless of location, adopt a least privilege strategy and strictly enforce access control, and inspect and log all traffic. It also shifts the primary attack vector from outside-in to inside-out, as internal users accessing external sites can now be just as vulnerable as external users. Implementing the Zero Trust Model involves steps like updating firewalls, establishing protected enclaves, and deploy
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...Nicolas Beyer
This document summarizes the cyber security market opportunity. It notes that the total cyber security market size was $31.5 billion in 2013 and is expected to grow 8.8% annually. It identifies several trends driving growth, such as the digital economy, need for holistic approaches, and focus on data security. It also outlines market segments, players, and growth opportunities and challenges for both security services and software providers.
Robert Hurlbut - Threat Modeling for Secure Software Designcentralohioissa
The document discusses threat modeling as a process for secure software design. It begins with an introduction of the speaker, Robert Hurlbut, and his background. The presentation then discusses how threat modeling helps bridge gaps between different security roles and fits within the software development lifecycle. Key aspects of threat modeling covered include understanding the system, identifying potential threats, determining mitigations and risks. The document provides examples and questions to guide the threat modeling process.
The document discusses security testing and the OWASP Top 10. It provides an overview of each of the top 10 vulnerabilities according to the OWASP 2017 list, including injection, broken authentication, sensitive data exposure, XML external entities, broken access control, and security misconfiguration. For each vulnerability, it describes how to identify if an application is vulnerable and how to prevent the vulnerability. It includes examples of each vulnerability type through short code demonstrations.
MDR-SOC is a cybersecurity framework services | Ampcus IncUnified11
MDR-SOC is high performance, scalable, and uses Apache Metron as its base platform with C/C++ and Python as its core components. It indexes and searches log and other data in near real-time.
The document outlines an information security workshop presentation on the scope and importance of information security. It discusses 10 key domains of information security knowledge including access control, application security, risk management, cryptography, operations security, physical security, security architecture, telecommunications, and networks. The presenter has 10 years of IT consulting experience and various security certifications. The goals are to raise awareness of information security and the need for regional cooperation such as a Pacific Computer Emergency Response Team.
Cybersecurity frameworks globally and saudi arabiaFaysal Ghauri
My second paper on Cybersecurity frameworks and how Saudi Arabia is forming. This paper has been published by the International Journal of Computer Science and Information Security (IJCSIS) in April 2021, Vol. 19 No. 4 Publication.
Slides from data MindsConnect 2018 Conference hosted at Ghelamnco Arena in Ghent by Belgian SQL Server USer Grup. SECDev(OPS) How to embrace your security.
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!ITCamp
This document contains the agenda and slides for a presentation on SQL Server security. The presentation covers security foundations for database administrators (DBAs), well-known risk factors from OSSTMM and OWASP, SQL Server security best practices, security enhancements in SQL Server 2014, 2016, and 2017, SQL Server security in the cloud, DBA security, and risk management for DBAs. The slides define key security concepts, categorize security realms, outline the OSSTMM and OWASP top 10 risks, and describe various SQL Server security features and configurations.
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Alan Kan
The document discusses a workshop on web application security using IBM Rational AppScan. It introduces the importance of securing web applications and provides an overview of common vulnerabilities like cross-site scripting and SQL injection. The workshop aims to help attendees understand application security risks and how to use AppScan to automate vulnerability scanning and analysis. Hands-on labs are included to demonstrate AppScan's vulnerability detection capabilities.
How to secure and manage modern IT - Ondrej VysekITCamp
IT is changing faster and faster and users requires completely different approach – especially millennials. Microsoft reacts to these IT needs by introducing EMS – most complex security and management suite on the market. We will cover how to manage and secure user identity, devices and documents. Discussion will cover not only Microsoft’s operating systems but iOS and Androids as well. As traditional IT assets needs to be maintained as well, SCCM and cloud management can be combined very easily. Join us on this presentation to see today’s possibilities of IT.
Organizations are increasingly looking to their Internal Auditors to provide independent assurance about cyber risks and the organization's ability to defend against cyber attacks. With information technology becoming an inherent critical success factor for every business and the emerging cyber threat landscape, every internal auditor needs to equip themselves on IT audit essentials and cyber issues.
In part 12 of our Cyber Security Series you will learn about the current cyber risks and attack methods from Richard Cascarino, including:
Where are we now and Where are we going?
Current Cyberrisks
• Data Breach and Cloud Misconfigurations
• Insecure Application User Interface (API)
• The growing impact of AI and ML
• Malware Attack
• Single factor passwords
• Insider Threat
• Shadow IT Systems
• Crime, espionage and sabotage by rogue nation-states
• IoT
• CCPA and GDPR
• Cyber attacks on utilities and public infrastructure
• Shift in attack vectors
The document provides an overview of basics of web application security. It discusses what web application security is, why web application firewalls are not complete solutions, and how to secure websites and web applications. It also introduces history of security flaws, vulnerabilities in web applications, and the OWASP Top 10 risks. The objectives, network vs web security, and how to secure applications through developer training and testing are covered. Types of security testing and their benefits are also summarized.
Security in the cloud protecting your cloud appsCenzic
The document discusses security best practices for cloud applications. It notes that 75% of cyber attacks target internet applications and over 400 new vulnerabilities are discovered each month. The top vulnerabilities include cross-site scripting, SQL injection, and insecure direct object references. The document provides examples of how these vulnerabilities can be exploited by hackers and recommends best practices like input validation, output encoding, secure authentication and session management to help protect applications.
Get Ready for Web Application Security TestingAlan Kan
The document discusses web application security testing and provides guidance for testing professionals. It outlines some of the top attacks like SQL injection and cross-site scripting. It recommends getting educated on security topics, using tools like WebScarab and IBM Rational AppScan to test for vulnerabilities, and incorporating security testing into the development process.
Johnson County Community College Cyber Security: A Brief Overview for Programmers by David Chaponniere discusses cyber security threats facing programmers as more devices connect to the internet. It outlines common attacks like phishing, use of vulnerable components, and cross-site scripting. The document recommends programmers prevent attacks through continuous education on latest threats, keeping code updated, testing for security flaws, and restricting access to sensitive code. With billions more devices expected to connect by 2020, protecting user privacy and data from attacks will be vital for technology to safely enhance daily life.
Web application vulnerabilities involve a system flaw or weakness in a web-based application. They have been around for years, largely due to not validating or sanitizing form inputs, misconfigured web servers, and application design flaws, and they can be exploited to compromise the application's security.
This document proposes an Offtech Tool and End URL Finder to determine where links lead before clicking on them. It summarizes that hackers can steal data or damage websites through malicious links. The tool was created using the Python Flask framework to independently run on various operating systems. It follows the URL route of a link to display the full, redirected URL to avoid theft of personal information. Testing showed the tool successfully detected 98.5% of links intended to steal sensitive data by analyzing URL properties like length and IP addresses.
DevSecOps aims to integrate security practices into DevOps workflows to deliver value faster and safer. It addresses challenges like keeping security practices aligned with continuous delivery models and empowered DevOps teams. DevSecOps incorporates security checks and tools into development pipelines to find and fix issues early. This helps prevent breaches like the 2017 Equifax hack, which exploited a known vulnerability. DevSecOps promotes a culture of collaboration, shared responsibility, and proactive security monitoring throughout the software development lifecycle.
This document summarizes research on challenges and issues in web security. It finds that 85% of websites are vulnerable to hacking, though organizations that provide software security training and centralize security controls experience fewer vulnerabilities. Recommendations include understanding which vulnerabilities pose the greatest risk and focusing on them, using pre-existing security controls instead of writing custom ones, and treating all user inputs as untrusted. Overall web security remains an ongoing challenge.
This document discusses secure web application development and preventing common vulnerabilities. It begins with an introduction on why web applications are often vulnerable and the importance of secure development. It then provides details on secure development lifecycles and practices, describes top vulnerabilities like injection flaws and cross-site scripting, and provides guidance on how to prevent each vulnerability through practices like input validation, output encoding, and access controls. The goal is to help developers understand security risks and how to build more robust applications through secure coding and threat modeling.
Slide Griffin - Practical Attacks and MitigationsEnergySec
Over the past few years, penetration testing has gotten easier. What used to take a week of scanning, analysis, and exploit research now happens in one day on average in a common IT environment. The efficiency of compromise has increased based on several factors including increased knowledge sharing, more robust computing, and automated exploitation tools. OT environments are often utilizing the same operating systems and are prone to many of the same attacks. The main differences are the presence of custom protocols, embedded systems, and lack of formal security programs to address the gaps created by two-way data communication networks.
This talk will show the most common attacks which our team currently uses to gain access and control over the networks and systems we test. More importantly, we will discuss the “top 10” things an organization can do to mitigate, remediate, and have active visibility into critical systems.
The document summarizes a presentation given by Fred Holborn of Psiframe, Inc. on data security for intellectual property managers. It discusses how theft of proprietary information caused the greatest financial losses for many organizations in 2003. It also outlines Psiframe's security assessment services which identify vulnerabilities from an attacker's perspective in order to recommend best practices for protecting information assets and networks. The document provides examples of common vulnerabilities and techniques attackers use, such as exploiting wireless networks and information leakage. It emphasizes the importance of regularly assessing security risks and implementing appropriate safeguards and regulatory compliance.
Application security Best Practices FrameworkSujata Raskar
“Making web applications safe is in the best interest of all organizations and the general economy. Providing a clearly defined set of web application security best practices will advance security professionals’ ability to anticipate and rapidly address potential threats to their enterprise.” -Yuval Ben-Itzhak, CTO and Co-Founder KaVaDo
The document discusses the OWASP Top 10 list, which identifies the most critical web application security risks. It provides an overview of the Open Web Application Security Project (OWASP) and explains each of the top 10 risks in the current list - including broken access control, cryptographic failures, injection, insecure design, security misconfiguration, vulnerable and outdated components, identification and authentication failures, software and data integrity failures, security logging and monitoring failures, and server side request forgery. For each risk, it provides a brief example and recommendations for prevention.
Software piracy by users is generally believed to harm both software firms through lower profits and buying customers through higher prices . Thus, it is thought that perfect and cost less technological protection would benefit both firms and consumers. The model developed here suggests that in some circumstances, even with significant piracy, not protecting can be the best policy, both raising firm profits and lowering selling prices. Key to the analysis is joining the presence of a positive network security with the fact that piracy increases the total number of program users. The network security exists because consumers have an incentive to economize on post purchase learning and customization costs. Mrs. D. Seema Dev Aksatha | M. Blessing Marshal ""Software Piracy Protection"" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-3 , April 2019,
URL: https://www.ijtsrd.com/papers/ijtsrd21705.pdf
Paper URL: https://www.ijtsrd.com/computer-science/computer-security/21705/software-piracy-protection/mrs-d-seema-dev-aksatha
Similar to ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security. (20)
ITCamp 2019 - Stacey M. Jenkins - Protecting your company's data - By psychol...ITCamp
Protecting your company's data: by psychologically evaluating potential Espionage and Spy activity
•We talk about protecting data.
•We talk about outside forces seeking to obtain our data by
unconventional means.
•I will speak about PROTECTING or DATA that is stolen from
trusted individuals within.
ITCamp 2019 - Silviu Niculita - Supercharge your AI efforts with the use of A...ITCamp
Microsoft "Automated Machine Learning" (AutoML) is an amazing toolkit now available on Azure that's really starting to ramp up.
In a nutshell, it is an automated service that identifies the best machine learning pipelines for labeled data ... it dramatically frees up time for experienced practitioners and gives a tremendous boost to in productivity engineers at the start of their ML journey.
ITCamp 2019 - Peter Leeson - Managing SkillsITCamp
Understanding skills is key to managing any organisation. Skills are not necessarily related to your job, your qualifications or your studies, they are related to what you can do and the responsibilities you have (or should have) within your organisation. Through a systematic and structured approach to understanding, analysing and classifying skills, the business can become more effective, staff has a better understanding of their roles and responsibilities, there is increased job satisfaction, and clear career and training progression plans can be defined.
ITCamp 2019 - Mihai Tataran - Governing your Cloud ResourcesITCamp
This document summarizes a presentation on governing cloud resources. The presentation covered:
1. The need for cloud governance to properly organize, secure, audit, and control costs of cloud resources as complexity increases.
2. How to implement governance on Microsoft Azure using tools like management groups, role-based access control, Azure Policy, auditing with activity logs, and blueprints to define repeatable resource deployments.
3. Demos of setting up management groups and policies in Azure, integrating governance with DevOps pipelines, and using autoscaling to optimize costs.
The presentation provided an overview of the importance of cloud governance and specific approaches for implementing it on Azure to manage permissions, compliance, costs, and
ITCamp 2019 - Ivana Milicic - Color - The Shadow Ruler of UXITCamp
Color. It has the power to evoke emotions and empower the effectiveness of a product, but it also has the ability to ruin otherwise meticulously crafted user experiences. It often rules from the shadows, disguised as a purely aesthetic element and a mean of beautification. Let’s see how to overtake control and strategically use color in digital product development.
Product teams often fail to remember that color has an enormous impact on our response to visual stimulation during human-computer interaction. The most immediate and direct psychological impact on experiences is of course - color. With its complexity and various levels of subconscious effects, it triggers an emotional response.
Color doesn’t live in a vacuum, and we need to start considering it in the context of use. There are many aspects that we need to take into account: target audience and their potential visual impairments, cultural background and individual difference, previous experiences and memories, the physical environment of use and compliance with the brand.
In this talk, we will immerse into approaches and best practices that product teams should take for strategic use of color in their product design process. After a basic introduction to color theory and psychology (to make sure everyone is up to speed), we will elaborate in detail how even subtle differences in color schemes have a significant impact on interface perception and product success. We will show a series of interface examples we tested on various users and do some live testing on site as well.
Clean Architecture as a term is around for a while. However, the path to implement it is not always clear nor easy to follow. When projects fail for reasons that are primary technical, the reason is often uncontrolled complexity. The complexity goes out of hand when the code lacks structure, when it lacks Clean Architecture.
In this session, I will show how to achieve consistency by implementing Clean Architecture through structure, rather than relying on discipline only. We will look at some basic building blocks of an application infrastructure which will enforce the way dependencies are created, how dependency injection is used or how separation of the data access concerns is enforced.
ITCamp 2019 - Florin Loghiade - Azure Kubernetes in Production - Field notes...ITCamp
You played around with containers? You feel you can handle the adrenaline rush of publishing your containers in production? Well hold on there because there are some aspects you need to consider before you start rushing to production. How you will handle auto-scalling? What about updates / upgrades? Downtime of your app? Version 1 and Version 2? CI/CD? Etc.
This session is about deploying your services on containers using the Azure Kubernetes managed offering. You will learn about what problems you might encounter and how to handle them during your deployment journey, and we will cover the main features of Kubernetes and how they can be of use to you
ITCamp 2019 - Florin Flestea - How 3rd Level support experience influenced m...ITCamp
After being a 3rd level support guy for 2 years, my code changed in several ways. Why this happened? Is this change good? Should you care about this?
I will tell from experience how my code changed and in what ways so that you can prevent the same mistakes I did and how to make your days better instead of wasting time debugging and trying to understand what happened in production
ITCamp 2019 - Emil Craciun - RoboRestaurant of the future powered by serverle...ITCamp
Let's face it, our world will be taken over by robots, or at least our jobs as the scary ML & AI speculations seem to say. But until that day arrives, I want to take you on a hypothetical journey of designing and creating a fully automated restaurant of the future, where a fine tuned and efficiently orchestrated group of RoboChefs will cook your desired meal perfectly each time. And all of this is possible thanks to Actions, Timers, Monitors, Orchestrators, Sub-Orchestrators and more, all concepts from Azure Durable Functions, the real focus of this session, an extension to Functions that adds state, and which are part of Azure's Serverless Compute technologies.
ITCamp 2019 - Eldert Grootenboer - Cloud Architecture Recipes for The EnterpriseITCamp
Azure offers a wide range of services, with which we can build powerful solutions. But how do we know which services to choose, and how to combine them to create even better architectures? In this session, we will take a look at real-life scenarios and how we solved by leveraging the power of Azure.
Blockchain is one of the main legal tech trends today and, like any new technology, comes with strings attached. Issues like enforceability of smart contracts, performance risks, data privacy and compliance with various regulations in different jurisdictions are main legal concerns. The session will focus on the main legal risks by means of case studies and offer a hands-on approach for risk management in case of blockchain and architectures of distributed ledgers.
ITCamp 2019 - Andy Cross - Machine Learning with ML.NET and Azure Data LakeITCamp
ML.NET is an open source, machine learning framework built in .NET and runs on Windows, Linux and macOS. It allows developers to integrate custom machine learning into their applications without any prior expertise in developing or tuning machine learning models. Enhance your .NET apps with sentiment analysis, price prediction, fraud detection and more using custom models built with ML.NET
In this Session, Andy will show not only the core of ML.NET but best practices around Azure Data Lake and data in general when using .NET
ITCamp 2019 - Andy Cross - Business Outcomes from AIITCamp
Andy Cross, Director of Elastacloud, Microsoft Regional Director, Azure MVP and all round good guy, gives a session on how to successfully build or transform a business using AI technologies.
Over the last years, Elastacloud have delivered analytics projects to a variety of customers. The greatest challenges around AI are both technical and organisational. The existing landscape of process and strategy doesn't solve these challenges in combination, and the gap between causes friction and the failure of AI projects.
When modelling the outcome of actions that were informed by AI, possibly enacted by AI, the standard risk modelling approaches need to be transformed to include a factor that can change over time to represent the effectiveness of the AI solutions. Given that we should accept errors as part of the AI solution, and that errors are reinforcing of better future decisions, we need to project risk as a decreasing vector over time.
ITCamp 2019 - Andrea Saltarello - Modernise your app. The Cloud StoryITCamp
"App Modernisation" is such a buzzword you might end up thinking there's no such thing. That code just needs to be rewritten every "N" years, that existing apps couldn't take advantage of new platforms, technologies or frameworks. That all the fuss about "goin' cloud" is a fad. Let me tell why you might consider being wrong.
ITCamp 2019 - Andrea Saltarello - Implementing bots and Alexa skills using Az...ITCamp
Thanks to the recently released v4 of the Bot Framework SDK, creating your first bot is a breeze; still, implementing a production viable one is no easy task since several aspects must be taken into account such as user authentication, integration within existing apps, multi language support, technical considerations (e.g.: Azure Functions vs. MVC Core, Blob Storage vs. CosmosDB) and, last but not least, operational costs.
Moreover, you might want to reuse your bot’s Azure hosted, Cognitive Services-backed code to address Amazon’s Alexa users to avoid the need to implement (and evolve) it twice.
Eager to learn how to do that for real? Don’t miss this code-based talk then.
ITCamp 2019 - Alex Mang - I'm Confused Should I Orchestrate my Containers on ...ITCamp
'There are multiple ways to skin a cat' says a famous Chinese proverb. However, when it comes to container orchestration in Azure you might feel confused and overwhelmed due to the high number of services and available services.
During this pragmatic session, you get a better understanding of the pros and cons of either choosing Service Fabric or AKS for container orchestration.
ITCamp 2019 - Alex Mang - How Far Can Serverless Actually Go NowITCamp
You may have heard me talk about the capabilities of Azure Logic Apps and Azure Functions before, but now I'm taking it up a few notches! And this is mostly because a lot of things have changed over the past few months in terms of serverless and cloud-native applications.
Join me at this session during which you will get to do a deep dive with me on the ins and outs of Azure Functions when it comes to developer real applications, not just 'Hello, World's and the brand-new, top-notch Azure Service Fabric Mesh offering.
I will finger point each bad practice and the things you should avoid, but at the end of the day we'll have created a highly scalable, production-ready application. So, how far and how fast can we actually go... now?
ITCamp 2019 - Peter Leeson - Vitruvian QualityITCamp
Marcus Vitruvius Pollio, commonly known as Vitruvius, was a Roman author, architect, civil engineer and military engineer during the 1st century BC. He is known for his multi-volume work entitled “De architectura” and his discussion of perfect proportion in architecture and the human body, which led, among others to the famous drawing by Leonardo da Vinci called the “Vitruvian Man”.
Within the principles of “Vitruvian Quality”, we seek to find those perfect proportions and how to align all components of the business architecture in order to make them fit the human needs of the impacted stakeholders.
ITCamp 2018 - Ciprian Sorlea - Million Dollars Hello World ApplicationITCamp
This session might look like a joke, and it partially is.
On one hand it is a parody about how the most recent trends in industry can significantly increase the cost associated with launching an application (design, development, hosting & operations, etc).
However, it is also a live demo of how you can incrementally evolve your application to take advantage of all the cool technologies out there without needing the actual a million dollars.
ITCamp 2018 - Ciprian Sorlea - Enterprise Architectures with TypeScript And F...ITCamp
The document discusses building enterprise applications with TypeScript. It provides an overview of TypeScript, describing it as a superset of JavaScript that adds types and other features. It also discusses some common technologies that work well with TypeScript, such as Node.js, Nest.js, Docker, Kubernetes, MongoDB, and Angular. The presentation aims to demonstrate how TypeScript can help build robust, scalable enterprise applications when combined with these complementary technologies.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
OpenID AuthZEN Interop Read Out - AuthorizationDavid Brossard
During Identiverse 2024 and EIC 2024, members of the OpenID AuthZEN WG got together and demoed their authorization endpoints conforming to the AuthZEN API
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
1. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
SECDEV(OPS).
How to Brace Your IT Security.
Tobiasz Koprowski
Data Platform MVP, MCT, Independent Consultant
Founder of Shadowland Consulting
@KoprowskiT @SHAConsultingUK
3. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
1 | Security Foundation for DBA/DEV/OPS
2 | Well Known Risks Manuals (ABC)
a| OWASP4WP
b| OWASP4MP
c| SANS/CIS
6 | SQL Server Security Best Practices
7 | Security Day by Day for BDA/DEV/OPS
8 | The Stack For You
8 | Summary
Appendix
AGENDA
7. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Application security | http://bit.ly/18u8J6p
Computing security | http://bit.ly/1ARdRLd
Data security | http://bit.ly/185wfph
Information security | http://bit.ly/1ARe0ya
Network security | http://bit.ly/1C443R8
Categorizing Security - part 1
{IT REALM}
8. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Airport security | http://bit.ly/1LPZcCZ
Food security | http://bit.ly/1MYnii6
Home security | http://bit.ly/1Gz3VI1
Infrastructure security | http://bit.ly/1Bm8LIF
Physical security | http://bit.ly/1Gz3VI1
Port security | http://bit.ly/1ARewMH
Supply chain security | http://bit.ly/1Ex7ob7
School security | http://bit.ly/17Dl735
Shopping center security | http://bit.ly/1EUb1FV
Categorizing Security - part 2
{PHYSICAL REALM}
9. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Homeland security | http://bit.ly/1AAwZhE
Human security | http://bit.ly/1DhojtU
International security | http://bit.ly/1MYoyli
National security | http://bit.ly/1FEnldu
Public security | http://bit.ly/1wqpX9P
Categorizing Security - part 3
{POLITICAL REALM}
10. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
application security computing security
data security information security
network security home security
infrastructure security physical security
national security public security
Categorizing Security - part 4
{MY OPS REALM}
12. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Security is the degree of resistance to, or protection from, harm. It applies to any
vulnerable and valuable asset, such as a person, dwelling, community, nation, or
organization.
As noted by the Institute for Security and Open Methodologies (ISECOM) in the
OSSTMM 3 (Open Source Security Testing Methodology Manual), security provides
"a form of protection where a separation is created between the assets and the
threat." These separations are generically called "controls," and sometimes include
changes to the asset or the threat.
Security? What is this?
http://www.isecom.org/research/
13. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
1 – What You Need to Know
2 – What You Need to Do
3 – Security Analysis
4 – Operational Security Metrics
5 – Trust Analysis
6 – Work Flow
7 - Human Security Testing
8 - Physical Security Testing
9 - Wireless Security Testing
10 - Telecommunications Security Testing
11 - Data Networks Security Testing
12 - Compliance
13 – Reporting with the STAR
14 – What You Get
15 – Open Methodology License
The Open Source Security Testing Methodology Manual
14. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
The OWASP Foundation came online on December 1st 2001 it was established as a not-for-profit
charitable organization in the United States on April 21, 2004 to ensure the ongoing availability and
support for our work at OWASP. OWASP is an international organization and the OWASP Foundation
supports OWASP efforts around the world. OWASP is an open community dedicated to enabling
organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.
All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in
improving application security. We advocate approaching application security as a people, process,
and technology problem because the most effective approaches to application security include
improvements in all of these areas. We can be found at www.owasp.org.
The Open Web Application Security Project
16. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
A1-Injection
A2-Broken Authentication and Session Management
A3-Cross-Site Scripting (XSS)
A4-Broken Access Control
A5-Security Misconfiguration
A6-Sensitive Data Exposure
A7-Insufficient Attack Protection
A8-Cross-Site Request Forgery (CSRF)
A9-Using Components with Known Vulnerabilities
A10-Underprotected APIs
Top 10 Application Security Risks for Web Apps
17. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
A1: Injection
Injection flaws, such as SQL, OS, XXE, and LDAP injection occur when untrusted data is sent to an
interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into
executing unintended commands or accessing data without proper authorization.
Top 10 Security Risks for Web Apps
18. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
A2: Broken Authentication and Session Management
Application functions related to authentication and session management are often implemented
incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit
other implementation flaws to assume other users’ identities (temporarily or permanently).
Top 10 Security Risks for Web Apps
19. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
A3: Cross-Site Scripting (XSS)
XSS flaws occur whenever an application includes untrusted data in a new web page without proper
validation or escaping, or updates an existing web page with user supplied data using a browser
API that can create JavaScript. XSS allows attackers to execute scripts in the victim’s browser which
can hijack user sessions, deface web sites, or redirect the user to malicious sites.
Top 10 Security Risks for Web Apps
20. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
A4: Broken Access Control
Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can
exploit these flaws to access unauthorized functionality and/or data, such as access other users'
accounts, view sensitive files, modify other users’ data, change access rights, etc.
Top 10 Security Risks for Web Apps
21. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
A5: Security Misconfiguration
Good security requires having a secure configuration defined and deployed for the application,
frameworks, application server, web server, database server, platform, etc. Secure settings should
be defined, implemented, and maintained, as defaults are often insecure. Additionally, software
should be kept up to date.
Top 10 Security Risks for Web Apps
22. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
A6: Sensitive Data Exposure
Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare,
and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud,
identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest
or in transit, as well as special precautions when exchanged with the browser.
Top 10 Security Risks for Web Apps
23. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
A7: Insufficient Attack Protection
The majority of applications and APIs lack the basic ability to detect, prevent, and respond to both
manual and automated attacks. Attack protection goes far beyond basic input validation and
involves automatically detecting, logging, responding, and even blocking exploit attempts.
Application owners also need to be able to deploy patches quickly to protect against attacks.
Top 10 Security Risks for Web Apps
24. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
A8: Cross-Site Request Forgery (CSRF)
A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s
session cookie and any other automatically included authentication information, to a vulnerable
web application. Such an attack allows the attacker to force a victim’s browser to generate
requests the vulnerable application thinks are legitimate requests from the victim.
Top 10 Security Risks for Web Apps
25. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
A9: Using Components with known Vulnerability
Components, such as libraries, frameworks, and other software modules, run with the same privileges
as the application. If a vulnerable component is exploited, such an attack can facilitate serious data
loss or server takeover. Applications and APIs using components with known vulnerabilities may
undermine application defenses and enable various attacks and impacts.
Top 10 Security Risks for Web Apps
26. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
A10: Underprotected APIs
Modern applications often involve rich client applications and APIs, such as JavaScript in the browser
and mobile apps, that connect to an API of some kind (SOAP/XML, REST/JSON, RPC, GWT, etc.).
These APIs are often unprotected and contain numerous vulnerabilities.
Top 10 Security Risks for Web Apps
28. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
M1: Improper Platform Usage
M2: Insecure Data Storage
M3: Insecure Communication
M4: Insecure Authentication
M5: Insufficient Cryptography
M6: Insecure Authorization
M7: Client Code Quality
M8: Code Tampering
M9: Reverse Engineering
M10: Extraneous Functionality
Top 10 Application Security Risks for Mobile Apps
29. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
M1: Improper Platform Usage
This category covers misuse of a platform feature or failure to use platform security controls. It might
include Android intents, platform permissions, misuse of TouchID, the Keychain, or some other security
control that is part of the mobile operating system. There are several ways that mobile apps can
experience this risk.
Top 10 Security Risks for Mobile Apps
30. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
M2: Insecure Data Storage
This new category is a combination of M2 + M4 from Mobile Top Ten 2014. This covers insecure data
storage and unintended data leakage.
Top 10 Security Risks for Mobile Apps
31. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
M3: Insecure Communication
This covers poor handshaking, incorrect SSL versions, weak negotiation, cleartext communication of
sensitive assets, etc.
Top 10 Security Risks for Mobile Apps
32. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
M4: Insecure Authentication
This category captures notions of authenticating the end user or bad session management. This can
include:
Failing to identify the user at all when that should be required
Failure to maintain the user's identity when it is required
Weaknesses in session management
Top 10 Security Risks for Mobile Apps
33. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
M5: Insufficient Cryptography
The code applies cryptography to a sensitive information asset. However, the cryptography is
insufficient in some way. Note that anything and everything related to TLS or SSL goes in M3. Also, if
the app fails to use cryptography at all when it should, that probably belongs in M2. This category is for
issues where cryptography was attempted, but it wasn't done correctly.
Top 10 Security Risks for Mobile Apps
34. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
M6: Insecure Authorization
This is a category to capture any failures in authorization (e.g., authorization decisions in the client
side, forced browsing, etc.). It is distinct from authentication issues (e.g., device enrolment, user
identification, etc.). If the app does not authenticate users at all in a situation where it should (e.g.,
granting anonymous access to some resource or service when authenticated and authorized access is
required), then that is an authentication failure not an authorization failure.
Top 10 Security Risks for Mobile Apps
35. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
M7: Client Code Quality
This was the "Security Decisions Via Untrusted Inputs", one of our lesser-used categories. This would
be the catch-all for code-level implementation problems in the mobile client. That's distinct from
server-side coding mistakes. This would capture things like buffer overflows, format string
vulnerabilities, and various other code-level mistakes where the solution is to rewrite some code that's
running on the mobile device.
Top 10 Security Risks for Mobile Apps
36. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
M8: Code Tampering
This category covers binary patching, local resource modification, method hooking, method swizzling,
and dynamic memory modification. Once the application is delivered to the mobile device, the code
and data resources are resident there. An attacker can either directly modify the code, change the
contents of memory dynamically, change or replace the system APIs that the application uses, or
modify the application's data and resources. This can provide the attacker a direct method of
subverting the intended use of the software for personal or monetary gain.
Top 10 Security Risks for Mobile Apps
37. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
M9: Reverse Engineering
This category includes analysis of the final core binary to determine its source code, libraries,
algorithms, and other assets. Software such as IDA Pro, Hopper, otool, and other binary inspection
tools give the attacker insight into the inner workings of the application. This may be used to exploit
other nascent vulnerabilities in the application, as well as revealing information about back end
servers, cryptographic constants and ciphers, and intellectual property.
Top 10 Security Risks for Mobile Apps
38. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
M10: Extraneous Functionality
Often, developers include hidden backdoor functionality or other internal development security
controls that are not intended to be released into a production environment. For example, a developer
may accidentally include a password as a comment in a hybrid app. Another example includes
disabling of 2-factor authentication during testing.
Top 10 Security Risks for Mobile Apps
41. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
1. Inventory of Authorized & Unauthorized Devices:
Actively manage (inventory, track & correct) all hardware devices on the network so that only
authorized devices are given access, and unauthorized & unmanaged devices are found and
prevented from gaining access.
42. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
2. Inventory of Authorized & Unauthorized Software:
Actively manage (inventory, track & correct) all software on the network so that only authorized
software is installed and can execute, and that unauthorized & unmanaged software is found and
prevented from installation or execution.
43. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
3. Secure Configurations for Hardware & Software
on Mobile Devices, Laptops, Workstations, & Servers:
Establish, implement, and actively manage (track, report on, correct) the security configuration of
laptops, servers, workstations using a rigorous configuration management and change control
process in order to prevent attackers from exploiting vulnerable services and settings.
44. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
4. Continuous Vulnerability Assessment & Remediation:
Continuously acquire, assess, and take action on new information in order to identify
vulnerabilities, remediate, & minimize the window of opportunity for attackers.
45. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
5. Controlled Use of Administrative Privileges:
The processes and tools used to track/control/prevent/correct the use, assignment, and
configuration of administrative privileges on computers, networks, and applications.
46. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
6. Maintenance, Monitoring, & Analysis of Audit Logs:
Collect, manage, and analyze audit logs of events that could help detect, understand, or recover
from an attack.
48. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
7. Email and Web Browser Protections:
Minimize the attack surface and the opportunities for attackers to manipulate human behavior
through their interaction with web browsers & email systems.
49. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
8. Malware Defenses:
Control the installation, spread, and execution of malicious code at multiple points in the
enterprise, while optimizing the use of automation to enable rapid updating of defense, data
gathering, & corrective action.
50. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
9. Limitation and Control of Network Ports, Protocols, and Services:
Manage (track/control/ correct) the ongoing operational use of ports, protocols, and services on
networked devices in order to minimize windows of vulnerability available to attackers.
51. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
10. Data Recovery Capability:
The processes and tools used to properly back up critical information with a proven methodology
for timely recovery of it.
52. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
11. Secure Configurations for Network Devices:
Establish, implement, and actively manage (track, report on, correct) the security configuration of
network infrastructure devices using a rigorous configuration management and change control
process.
53. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
12. Boundary Defense:
Detect/prevent/correct the flow of information transferring networks of different trust levels with
a focus on security-damaging data.
54. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
13. Data Protection:
The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data,
and ensure the privacy and integrity of sensitive information.
55. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
14. Controlled Access Base on the Need to Know:
The processes and tools used to track/control/prevent/correct secure access to critical assets
according to the formal determination of which persons, computers, and applications have a need
and right to access these critical assets based on an approved classification.
56. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
15. Wireless Access Control:
The processes and tools used to track/control/prevent/correct the security use of wireless local
area networks (LANS), access points, and wireless client systems.
57. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
16. Account Monitoring & Control:
Actively manage the life cycle of system and application accounts – their creation, use, dormancy,
deletion – in order to minimize opportunities for attackers to leverage them.
59. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
17. Security Skills Assessment & Appropriate Training to Fill Gaps:
For all functional roles in the organization, identify the specific knowledge, skills, and abilities
needed to support defense of the enterprise.
60. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
18. Application Software Security:
Manage the security life cycle of all in-house developed and acquired software in order to prevent,
detect, and correct security weaknesses.
61. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
19. Incident Response Management:
Protect the organization’s information, as well as its reputation, by developing and implementing
and incident response infrastructure for quickly discovering an attack and then effectively
containing the damage, eradicating the attacker’s presence, and restoring the integrity of the
network and systems.
62. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
20. Penetration Tests & Red Team Exercises:
Test the overall strength of an organization’s defenses (the technology, the processes, and the
people) by simulating the objectives and actions of an attacker.
65. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Risk Management
NASA's illustration showing high impact risk areas
for the International Space Station
67. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Database security concerns the use of a broad range of information security controls to protect
databases (potentially including the data, the database applications or stored functions, the database
systems, the database servers and the associated network links) against compromises of their
confidentiality, integrity and availability.
It involves various types or categories of controls, such as technical, procedural/administrative and
physical. Database security is a specialist topic within the broader realms of computer security,
information security and risk management.
Risk Management for DB
68. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Security risks to database systems include, for example:
• unintended activity or misuse by authorized database users, database administrators, or
network/systems managers, or by unauthorized users or hackers (e.g. inappropriate access to
sensitive data, metadata or functions within databases, or inappropriate changes to the database
programs, structures or security configurations);
• Malware infections causing incidents such as unauthorized access, leakage or disclosure of
personal or proprietary data, deletion of or damage to the data or programs, interruption or
denial of authorized access to the database, attacks on other systems and the unanticipated
failure of database services;
Risk Management for DBA
69. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Security risks to database systems include, for example:
• Overloads, performance constraints and capacity issues resulting in the inability of authorized
users to use databases as intended;
• Physical damage to database servers caused by computer room fires or floods, overheating,
lightning, accidental liquid spills, static discharge, electronic breakdowns/equipment failures and
obsolescence;
• Design flaws and programming bugs in databases and the associated programs and systems,
creating various security vulnerabilities (e.g. unauthorized privilege escalation ), data
loss/corruption, performance degradation etc.;
• Data corruption and/or loss caused by the entry of invalid data or commands, mistakes in
database or system administration processes, sabotage/criminal damage etc.
Risk Management for DBA
70. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Step 1: Make A List Of What You're Trying To Protect
Step 2: Draw A Diagram And Add Notes
Step 3: Make A List Of Your Adversaries And What They Want
Step 4: Brainstorm Threats From These Adversaries
Step 5: Estimate Probability And Potential Damage (The Overall Risk)
Step 6: Brainstorm Countermeasures And Their Issues
Step 7: Plan, Test, Pilot, Monitor, Troubleshoot and Repeat
Cyber Defense
| Practical Risk Analysis and Threat Modeling
71. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Even a crude risk analysis and hardening plan is vastly better
than just winging it,
and in many ways a crude plan is better than an overly formal one
if the formal one will never be completed...
or even started
(another case of "the perfect is the enemy of the good").
I hope this seven-step recipe will help you get your own security projects underway!
Conclusion
76. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• Pillar One: risk assessment and management
– A definition of the risks that apply to various asset(s), based on their business criticality.
– An assessment of the current status of each risk before it’s moved to the cloud. Using this information, each
risk can be accepted, mitigated, transferred or avoided.
– An assessment of the risk profile of each asset, assuming it has been moved to the cloud.
• Pillar Two: policy and compliance
– Cloud providers need to understand that simply listing compliance certifications isn’t sufficient. In line with
the mantra of transparency explored in the previous point, providers should take a proactive stance to
sharing their security implementations and controls.
Dimension Data often assists clients by providing them with a list of questions
that we believe they should be posing to cloud providers as part of the
evaluation process, to ensure they’re covering all the bases.’
Three Pillars of a Secure Hybrid Cloud Environment
77. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Pillar Three: provider transparency
• Governance: the ability of an organisation to govern and measure enterprise risk introduced by cloud.
• Legal issues: regulations, and requirements to protect the privacy of data, and the security of information and
computer systems.
• Compliance and audit: maintaining and proving compliance when using the cloud.
• Information management and data security: managing cloud data, and responsibility for data confidentiality,
integrity and availability.
• Portability and interoperability: the ability to move data or services from one provider to another, or bring
them back in-house.
• Business continuity and disaster recovery: operational processes and procedures for business continuity and
disaster recovery.
Three Pillars of a Secure Hybrid Cloud Environment
78. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Pillar Three: provider transparency
• Data centre: evaluating any elements of a provider’s data centre architecture and operations that could be
detrimental to ongoing services.
• Incident response, notification and remediation: adequate incydent detection, response, notification, and
remediation.
• Application security: securing application software running on or developed in the cloud.
• Encryption and key management: identifying proper encryption usage and scalable key management.
• Identity and access management: assessing an organisation’s readiness to conduct cloud-based identity,
entitlement, and access management.
• Virtualisation: risks associated with multi-tenancy, virtual machine isolation and co- residence, hypervisor
vulnerabilities, etc.
Three Pillars of a Secure Hybrid Cloud Environment
80. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Driving DevOps Security
Operations have become increasingly important as the software world
shifts to a more service-oriented approach. Implementing a DevOps
model is an essential move for most software companies to maintain
success. The recent adoption of DevOps has been rapid and widespread
while security best practices have been slow to keep pace. It is clear that
the transformation has helped organizations improve their velocity and
improve their products as they grow.
As cybersecurity risks continue to mount, security best practices must be
included in every team's workflow. By understanding and facilitating the
cultural shift that DevOps requires, you can help your team work faster
and more securely, with sustainable results. Download the book above
to learn everything you need to know to start running DevOps securely
at scale.
https://www.tripwire.com/solutions/devops/devops-book/
81. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
SANS / CIS Critical Security Controls
Trusted by security leaders in both the
private and public sector, the CIS Controls:
➢ Leverage the battle-tested expertise of
the global IT community to defeat over
85% of common attacks
➢ Focus on proven best practices, not on
any one vendor’s solution
➢ Offer the perfect on-ramp to execute
compliance programs with mappings to
PCI, NIST, ISO, and HIPAA
➢ All 20 CIS Controls V7
https://learn.cisecurity.org/20-controls-
download
82. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
SANS Supports the CIS Critical Security Controls with
Training, Research and What Works
To support information security practitioners and managers implement the CIS Critical Security Controls, SANS
provide a number of resources and information security courses.
Critical Security Controls Courses
SEC440: Critical Security Controls: Planning, Implementing and Auditing
SEC566: Implementing and Auditing the Critical Security Controls - In-Depth
Security Operations Center Courses
SEC511: Continuous Monitoring and Security Operations
SEC555: SIEM with Tactical Analysis (NEW!)
MGT517: Managing Security Operations: Detection, Response, and Intelligence (NEW!)
Information Security Resources
NewsBites: Bi-weekly email of top news stories with commentary from SANS Editors. View recent editions &
Subscribe
Whitepapers: Research from SANS instructors and masters students. Download the latest papers related to the
Critical Controls
Webcasts: Topical content presented by SANS Instructors, vendors, and leaders in infosec security. View
upcoming webcasts
83. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• ISECOM (the Institute for Security and Open Methodologies)
– http://www.isecom.org/about-us.html
• OSSTMM (Open Source Security Testing Methodology Manual)
– http://www.isecom.org/research/osstmm.html
• Library of Resources for Industrial Control System Cyber Security
– https://scadahacker.com/library/index.html
• patterns & practices: Cloud Security Approach in a Nutshell
– https://technet.microsoft.com/en-us/ff742848.aspx
• Microsoft Azure Trust Center: Security
– http://azure.microsoft.com/en-us/support/trust-center/security/
• 10 Things to know about Azure Security
– https://technet.microsoft.com/en-us/cloud/gg663906.aspx
• Security Best Practice and Label Security Whitepapers
– http://blogs.msdn.com/b/sqlsecurity/archive/2012/03/07/security-best-practice-and-label-security-
whitepapers.aspx
links
84. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• Hello Secure World
– http://www.microsoft.com/click/hellosecureworld/default.mspx
• SQL Server Label Security Toolkit
– http://sqlserverlst.codeplex.com/
SQL Server Best Practices Analyzer
• Microsoft Baseline Configuration Analyzer 2.0
– http://www.microsoft.com/en-us/download/details.aspx?id=16475
• SQL Server 2005 Best Practices Analyzer (August 2008)
– http://www.microsoft.com/en-us/download/details.aspx?id=23864
• Microsoft® SQL Server® 2008 R2 Best Practices Analyzer
– http://www.microsoft.com/en-us/download/details.aspx?id=15289
• Microsoft® SQL Server® 2012 Best Practices Analyzer
– http://www.microsoft.com/en-us/download/details.aspx?id=29302
links
85. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• Microsoft Security Assessment Tool
– http://www.microsoft.com/downloads/details.aspx?FamilyID=6D79DF9C-C6D1-4E8F-8000-
0BE72B430212&displaylang=en
• Microsoft Application Verifier
– http://www.microsoft.com/downloads/details.aspx?FamilyID=bd02c19c-1250-433c-8c1b-
2619bd93b3a2&DisplayLang=en
• Microsoft Threat Analysis & Modelling Tool
– http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-
944703479451&DisplayLang=en
• How To: Protect From SQL Injection in ASP.NET
– http://msdn2.microsoft.com/en-us/library/ms998271.aspx
• Securing Your Database Server
– http://msdn.microsoft.com/en-us/library/aa302434.aspx
links
86. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• Threats and Countermeasures
– http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch00.mspx
• Configure Windows Service Accounts and Permissions
– https://msdn.microsoft.com/en-us/library/ms143504.aspx#Network_Service
• Select an Account for the SQL Server Agent Service
– https://msdn.microsoft.com/en-us/library/ms191543.aspx
• Server Configuration - Service Accounts
– https://msdn.microsoft.com/en-us/library/cc281953.aspx
links
87. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Azure Security: Technical Insights
Security Best Practices for Developing Azure Solutions
Protecting Data in Azure
Azure Network Security
Microsoft Antimalware for Azure Cloud Services and Virtual Machines
Microsoft Enterprise Cloud Red Teaming
Microsoft Azure Security and Audit Log Management
Security Management in Microsoft Azure
Crypto Services and Data Security in Azure
azure resources: security
88. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Business Continuity for Azure
Understanding Security Account Management in Azure
Azure Data Security: Cleansing and Leakage
Scenarios and Solutions Using Azure Active Directory Access Control
Securing and Authenticating a Service Bus Connection
Azure Privacy Overview (PDF)
Azure Privacy Statement
Law Enforcement Request Report
Protecting Data and Privacy in the Cloud
azure resources: security & privacy
89. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Response to Cloud Security Alliance Cloud Controls Matrix (DOC)
Azure HIPAA Implementation Guidance (PDF)
Azure Customer PCI Guide (PDF)
The Microsoft Approach to Cloud Transparency (PDF)
Microsoft Trustworthy Computing
Operational Security for Online Services Overview (PDF)
Data Classification for Cloud Readiness
CISO Perspectives on Data Classification (PDF)
An Introduction to Designing Reliable Cloud Services (PDF)
Deploying Highly Available and Secure Cloud Solutions (PDF)
azure resources: compliance & more
90. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• Yes, 123456 is the most common password, but here’s why that’s misleading
http://arstechnica.com/security/2015/01/yes-123456-is-the-most-common-password-but-heres-why-thats-misleading/
• CIO’s are Listening, Security is Important…
https://communities.intel.com/community/itpeernetwork/blog/2014/05/20/cio-s-are-listening-security-is-important
• The Three Pillars of a Secure Hybrid Cloud Environment
http://www.dimensiondata.com/Global/Latest-Thinking/The-Three-Pillars-of-a-Secure-Hybrid-Cloud-
Environment/Pages/Home.aspx
credits
91. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Tobiasz J Koprowski
@KoprowskiT | @SHAConsultingUK
https://about.me/KoprowskiT
http://KoprowskiT.eu/geek
after session