Automotive safety has been a major concern for manufacturers everywhere and now the threat of automotive hacking looms. Your team may be familiar with safety standards and defensive coding techniques but do you know how to handle security threats at the code level? What can you do next to transform your processes and development strategies?
Join automotive experts from Rogue Wave Software for the first in a three-part series on securing your code and solidifying processes to ensure safe, defect-free software. By educating teams and understanding proven techniques, you’ll be able to take the next step towards less risk and more value for your applications.
In this first one-hour webinar you'll learn:
- Techniques to protect your automotive software systems from risk
- Tools that accelerate compliance with security and safety standards
- Tips to ensure defects are eliminated as early as possible
Threat Modeling for the Internet of ThingsEric Vétillard
A presentation made in several public events in 2015 about the threats related to the Internet of Things, and how modeling can be used as a way to manage mitigation methods.
Secure by design and secure software developmentBill Ross
This secure lifecycle management process (SLCMP said slickum) defines the basic and most realistic way to develop secure software. While the briefing is a bit dated slide 34 is still a very relevant process. What is below the green line is the security dynamic process that happens supporting the basic development process seen above the green line. SLCMP is supported by building a complementary and excellent information risk framework system security plan or IRASSP. SLCMP is operationally deployed.
Why are code reviews and penetration tests not enough to secure your organization’s software? This presentation explores the importance of threat modeling in the security journey.
Automotive safety has been a major concern for manufacturers everywhere and now the threat of automotive hacking looms. Your team may be familiar with safety standards and defensive coding techniques but do you know how to handle security threats at the code level? What can you do next to transform your processes and development strategies?
Join automotive experts from Rogue Wave Software for the first in a three-part series on securing your code and solidifying processes to ensure safe, defect-free software. By educating teams and understanding proven techniques, you’ll be able to take the next step towards less risk and more value for your applications.
In this first one-hour webinar you'll learn:
- Techniques to protect your automotive software systems from risk
- Tools that accelerate compliance with security and safety standards
- Tips to ensure defects are eliminated as early as possible
Threat Modeling for the Internet of ThingsEric Vétillard
A presentation made in several public events in 2015 about the threats related to the Internet of Things, and how modeling can be used as a way to manage mitigation methods.
Secure by design and secure software developmentBill Ross
This secure lifecycle management process (SLCMP said slickum) defines the basic and most realistic way to develop secure software. While the briefing is a bit dated slide 34 is still a very relevant process. What is below the green line is the security dynamic process that happens supporting the basic development process seen above the green line. SLCMP is supported by building a complementary and excellent information risk framework system security plan or IRASSP. SLCMP is operationally deployed.
Why are code reviews and penetration tests not enough to secure your organization’s software? This presentation explores the importance of threat modeling in the security journey.
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
http://www.ddifrontline.com
Digital Defense Inc (DDI) and Veracode present the "Crafting Super-Powered Risk Assessments" webinar and slides. The presentation covers security assessments, application security, and how to manage risk.
These slides will give you an overview of Application Security Risk Assessment form an SDLC stand-point. Further, the methods used for risk assessment during various phases of SDLC are also discussed.
The presentation will give you an idea the secure coding practices. The points mentioned here, I would say is the minimum you should consider while developing an application
This webinar series is designed to help internal auditors looking to equip themselves with competencies and confidence to handle audit of IT controls and information security, and learn about the emerging technologies and their underlying risks
The series focuses on contemporary IT audit approaches relevant to Internal Auditors and the processes underlying risk based IT audits.
Session 6 of 10
This Webinar focuses on Application Security
• Application security logging and monitoring
• Issues in current logging practices
• Resources required by developers for security logging
• Correlating and alerting from log sources
• Logging in multi-tiered architectures and disparate systems
• Application security logging requirements
Software security, secure software development in the age of IoT, smart thing...LabSharegroup
How to design secure software products for IoT, embedded application, smart metering, smart lighting, medical application with the help of Common Criteria
A successful application security program - Envision build and scalePriyanka Aash
Learn how to build an application security program that is successfully integrated into various stages of software development life cycle and product life cycle. This lab will draw from the facilitators’ successful experience at Sabre, focusing on the top five maxims to design, build and scale.
(Source : RSA Conference USA 2017)
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Minded Security
Matteo Meucci did a talk on software security in practice, describing the actual scenario and the roadmap for the enterprise to improve their maturity in the SDLC.
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Denim Group
Threat modeling is a valuable technique for identifying potential security issues in complex applications but many teams have been slow to adopt. This presentation looks at Threat Modeling from two perspectives – from that of a system builder trying to avoid introducing security defects into a new system and from that of a system tester trying to identify security issues in an existing system. The materials include discussion of where threat modeling is best done during the development lifecycle as well as the process of creating and refining a threat model.
Follow Dan Cornell on twitter - @danielcornell
The Internet of Things (IoT) is an exciting and emerging area of technology allowing individuals and businesses to make radical changes to how they live their lives and conduct commerce. The challenge with this trend is that IoT devices are just computers with sensors running applications. Because IoT devices interact with our personal lives, the proliferation of these devices exposes an unprecedented amount of personal sensitive data to significant risk. In addition, IoT security is not only about the code running on the device, these devices are connected to systems that include supporting web services as well as other client applications that allow for management and reporting.
A critical step to understanding the security of any system is building a threat model. This helps to enumerate the components of the system as well as the paths that data takes as it flows through the system. Combining this information with an understanding of trust boundaries helps provide system designers with critical information to mitigate systemic risks to the technology and architecture.
This webinar looks at how Threat Modeling can be applied to IoT systems to help build more security systems during the design process, as well as how to use Threat Modeling when testing the security of IoT systems.
Most organizations require threat models. The industry has recommended threat modeling for years. What holds us back? Master security architect, author and teacher Brook Schoenfield will take participants through a threat model experience based upon years of teaching. Expect a kick start. Practitioners will increase understanding. Experts will gain insight for teaching and programs.
(Source : RSA Conference USA 2017)
Application Security Testing for Software Engineers: An approach to build sof...Michael Hidalgo
This talk was presented at the 7th WCSQ World Congress for Software Quality in Lima, Perú on Wednesday, 22nd March 2017.
Writing secure code certainly is not an easy endeavor. In the book titled “Writing Secure Code: Practical Strategies and Proven Techniques for Building Secure Applications in a Networked World (Developer Best Practices)” authors Howard and LeBlanc talk about the so called attacker’s advantage and the defenders dilemma and they put into perspective the fact that developers (identified as defenders) must build better quality software because attackers have the advantage.
In this dilemma, software applications must be on a state of defense because attackers are out there taking advantage of any minor mistake, whereas the defender must be always vigilant, adding new features to the code, fixing issues, adding new engineers to the team. All this conditions are important when it comes to software security.
Sadly, strong understanding of software security principles is not always a characteristic of most software engineers but we can’t blame them. Writing code is a complex task per se, the abstraction level required, along with choosing and/or writing the accurate algorithm and dealing with tight schedules seems to be always a common denominator and the outcome when talking to developers.
This talk also includes techniques, tools and guidance that software engineers can use to perform Application Security testing during the development stage, enabling them to catch vulnerabilities at the time they are created.
Agenda:
- SDLC vs S-SDLC
- Mobile development security process
- What tools using for security testing?
- How to integrate into existing processes?
- What additionally you can do?
Project Quality-SIPOCSelect a process of your choice and creat.docxwkyra78
Project Quality-SIPOC
Select a process of your choice and create a SIPOC for this process. Explain the utility of a SIPOC in the context of project management.
(
Application security in large enterprises (part 2)
Student Name:
) (
Instructor Name
)
Detailed Description:
Large enterprises of a thousand persons or more often have distinctly distinct data security architectures than lesser businesses. Typically they treat their data security as if they were still little companies.
This paper endeavors to demonstrate that not only do large businesses have an entire ecology of focused programs, specific to large businesses and their needs, but that this software has distinct security implications than buyer or small enterprise software. identifying these dissimilarities, and analyzing the way this can be taken advantage of by an attacker, is the key to both striking and keeping safe a large enterprise.
The Web applications are the important part of your business every day, they help you handle your intellectual property, increase your sales, and keep the trust of your customers. But there's the problem that applications re fast becoming the preferred attack vector of hackers. For this you really need something that makes your application secure.
And, with the persistent condition of today's attacks, applications can easily be get infected when security is not considered and scoped into each phase of the software development life cycle, from design to development to testing and ongoing maintenance of the application. When you take a holistic approach to your application security, you actually enhance your ability to produce and manage stable, secure applications. Applications need training and testing from the leading team of ethical hackers, for this there should be an authentic plan to recover these issues that can help an organization to plan, test, build and run applications smartly and safely.
Large enterprises of a thousand people or even more have distinctly different information security architectures than many other smaller companies. Actually, they treat their information security as if they were still small companies.
We are going to discuss some attempts to demonstrate that not only do large companies have an entire ecology of specialized software, specific to large companies and their needs, but that this software has different security implications than consumer or small business software for the applications. Recognizing these differences, and examining the way this can be taken advantage of by an attacker, is the key to both attacking and defending a large enterprise. It’s really important to cover up the security procedures in the large enterprise.
Key Features:
· Web application security checking from development through output
· Security check web APIs and world wide web services that support your enterprise
· Effortlessly organize, view and share security-test outcomes and histories
· Endow broader lifecycle adoption th ...
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
http://www.ddifrontline.com
Digital Defense Inc (DDI) and Veracode present the "Crafting Super-Powered Risk Assessments" webinar and slides. The presentation covers security assessments, application security, and how to manage risk.
These slides will give you an overview of Application Security Risk Assessment form an SDLC stand-point. Further, the methods used for risk assessment during various phases of SDLC are also discussed.
The presentation will give you an idea the secure coding practices. The points mentioned here, I would say is the minimum you should consider while developing an application
This webinar series is designed to help internal auditors looking to equip themselves with competencies and confidence to handle audit of IT controls and information security, and learn about the emerging technologies and their underlying risks
The series focuses on contemporary IT audit approaches relevant to Internal Auditors and the processes underlying risk based IT audits.
Session 6 of 10
This Webinar focuses on Application Security
• Application security logging and monitoring
• Issues in current logging practices
• Resources required by developers for security logging
• Correlating and alerting from log sources
• Logging in multi-tiered architectures and disparate systems
• Application security logging requirements
Software security, secure software development in the age of IoT, smart thing...LabSharegroup
How to design secure software products for IoT, embedded application, smart metering, smart lighting, medical application with the help of Common Criteria
A successful application security program - Envision build and scalePriyanka Aash
Learn how to build an application security program that is successfully integrated into various stages of software development life cycle and product life cycle. This lab will draw from the facilitators’ successful experience at Sabre, focusing on the top five maxims to design, build and scale.
(Source : RSA Conference USA 2017)
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Minded Security
Matteo Meucci did a talk on software security in practice, describing the actual scenario and the roadmap for the enterprise to improve their maturity in the SDLC.
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Denim Group
Threat modeling is a valuable technique for identifying potential security issues in complex applications but many teams have been slow to adopt. This presentation looks at Threat Modeling from two perspectives – from that of a system builder trying to avoid introducing security defects into a new system and from that of a system tester trying to identify security issues in an existing system. The materials include discussion of where threat modeling is best done during the development lifecycle as well as the process of creating and refining a threat model.
Follow Dan Cornell on twitter - @danielcornell
The Internet of Things (IoT) is an exciting and emerging area of technology allowing individuals and businesses to make radical changes to how they live their lives and conduct commerce. The challenge with this trend is that IoT devices are just computers with sensors running applications. Because IoT devices interact with our personal lives, the proliferation of these devices exposes an unprecedented amount of personal sensitive data to significant risk. In addition, IoT security is not only about the code running on the device, these devices are connected to systems that include supporting web services as well as other client applications that allow for management and reporting.
A critical step to understanding the security of any system is building a threat model. This helps to enumerate the components of the system as well as the paths that data takes as it flows through the system. Combining this information with an understanding of trust boundaries helps provide system designers with critical information to mitigate systemic risks to the technology and architecture.
This webinar looks at how Threat Modeling can be applied to IoT systems to help build more security systems during the design process, as well as how to use Threat Modeling when testing the security of IoT systems.
Most organizations require threat models. The industry has recommended threat modeling for years. What holds us back? Master security architect, author and teacher Brook Schoenfield will take participants through a threat model experience based upon years of teaching. Expect a kick start. Practitioners will increase understanding. Experts will gain insight for teaching and programs.
(Source : RSA Conference USA 2017)
Application Security Testing for Software Engineers: An approach to build sof...Michael Hidalgo
This talk was presented at the 7th WCSQ World Congress for Software Quality in Lima, Perú on Wednesday, 22nd March 2017.
Writing secure code certainly is not an easy endeavor. In the book titled “Writing Secure Code: Practical Strategies and Proven Techniques for Building Secure Applications in a Networked World (Developer Best Practices)” authors Howard and LeBlanc talk about the so called attacker’s advantage and the defenders dilemma and they put into perspective the fact that developers (identified as defenders) must build better quality software because attackers have the advantage.
In this dilemma, software applications must be on a state of defense because attackers are out there taking advantage of any minor mistake, whereas the defender must be always vigilant, adding new features to the code, fixing issues, adding new engineers to the team. All this conditions are important when it comes to software security.
Sadly, strong understanding of software security principles is not always a characteristic of most software engineers but we can’t blame them. Writing code is a complex task per se, the abstraction level required, along with choosing and/or writing the accurate algorithm and dealing with tight schedules seems to be always a common denominator and the outcome when talking to developers.
This talk also includes techniques, tools and guidance that software engineers can use to perform Application Security testing during the development stage, enabling them to catch vulnerabilities at the time they are created.
Agenda:
- SDLC vs S-SDLC
- Mobile development security process
- What tools using for security testing?
- How to integrate into existing processes?
- What additionally you can do?
Project Quality-SIPOCSelect a process of your choice and creat.docxwkyra78
Project Quality-SIPOC
Select a process of your choice and create a SIPOC for this process. Explain the utility of a SIPOC in the context of project management.
(
Application security in large enterprises (part 2)
Student Name:
) (
Instructor Name
)
Detailed Description:
Large enterprises of a thousand persons or more often have distinctly distinct data security architectures than lesser businesses. Typically they treat their data security as if they were still little companies.
This paper endeavors to demonstrate that not only do large businesses have an entire ecology of focused programs, specific to large businesses and their needs, but that this software has distinct security implications than buyer or small enterprise software. identifying these dissimilarities, and analyzing the way this can be taken advantage of by an attacker, is the key to both striking and keeping safe a large enterprise.
The Web applications are the important part of your business every day, they help you handle your intellectual property, increase your sales, and keep the trust of your customers. But there's the problem that applications re fast becoming the preferred attack vector of hackers. For this you really need something that makes your application secure.
And, with the persistent condition of today's attacks, applications can easily be get infected when security is not considered and scoped into each phase of the software development life cycle, from design to development to testing and ongoing maintenance of the application. When you take a holistic approach to your application security, you actually enhance your ability to produce and manage stable, secure applications. Applications need training and testing from the leading team of ethical hackers, for this there should be an authentic plan to recover these issues that can help an organization to plan, test, build and run applications smartly and safely.
Large enterprises of a thousand people or even more have distinctly different information security architectures than many other smaller companies. Actually, they treat their information security as if they were still small companies.
We are going to discuss some attempts to demonstrate that not only do large companies have an entire ecology of specialized software, specific to large companies and their needs, but that this software has different security implications than consumer or small business software for the applications. Recognizing these differences, and examining the way this can be taken advantage of by an attacker, is the key to both attacking and defending a large enterprise. It’s really important to cover up the security procedures in the large enterprise.
Key Features:
· Web application security checking from development through output
· Security check web APIs and world wide web services that support your enterprise
· Effortlessly organize, view and share security-test outcomes and histories
· Endow broader lifecycle adoption th ...
Link to Youtube video: https://youtu.be/OJMqMWnxlT8
You can contact me at abhimanyu.bhogwan@gmail.com
My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/
Threat Modeling(system+ enterprise)
What is Threat Modeling?
Why do we need Threat Modeling?
6 Most Common Threat Modeling Misconceptions
Threat Modelling Overview
6 important components of a DevSecOps approach
DevSecOps Security Best Practices
Threat Modeling Approaches
Threat Modeling Methodologies for IT Purposes
STRIDE
Threat Modelling Detailed Flow
System Characterization
Create an Architecture Overview
Decomposing your Application
Decomposing DFD’s and Threat-Element Relationship
Identify possible attack scenarios mapped to S.T.R.I.D.E. model
Identifying Security Controls
Identify possible threats
Report to Developers and Security team
DREAD Scoring
My Opinion on implementing Threat Modeling at enterprise level
Most of the money thrown at securing information systems misses the weak spots. Huge amounts are spent securing infrastructure while web applications are left exposed. It is a crisis that is largely ignored.
Software development teams, under pressure to deliver features and meet deadlines, often respond to concerns about the security of their web applications by commissioning a last-minute security assessment and then desperately attempt to address only the most glaring findings. They may even simply throw up a web application firewall to mitigate the threats. Such bolted-on solutions are not long-term answers to web application security.
Instead, we advocate a built-in approach. We will show that by weaving security into the software development life cycle, and using mature resources for security coding standards, toolkits and frameworks such as those from OWASP, development teams can consistently produce secure systems without dramatically increasing the development effort or cost.
This slide deck was most recently presented at a SPIN meeting in Cape Town In September 2012 by Paul and Theo from ThinkSmart (www.thinksmart.co.za).
For more information, contact Paul at ThinkSmart (dot see oh dot zed ay).
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
BlackHat USA 2015 got recently concluded and we head a bunch of news around how BlackHat brought to light various security vulnerabilities in day-to-day life like ZigBee protocol, Device for stealing keyless cars & ATM card skimmers. However the presenters, who are also ethical hackers, also gave a bunch of tools to help software community to detect & prevent security holes in the hardware & software while the product is ready for release. We have reviewed all the presentations from the conference and give you here a list of Top 10 tools/utilities that helps in security vulnerability detection & prevention.
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
Deploying insecure web applications into production can be risky -- resulting in potential loss of customer data, corporate intellectual property and/or brand value. Yet many organizations still deploy public-facing applications without assessing them for common and easily-exploitable vulnerabilities such as SQL Injection and Cross-Site Scripting (XSS).
This is because traditional approaches to application security are typically complex, manual and time-consuming – deterring agile teams from incorporating code analysis into their sprints.
But it doesn’t have to be that way. By incorporating key SecDevOps concepts into the Software Development Lifecycle (SDLC) – including centralized policies and tighter collaboration and visibility between security and DevOps teams – we can now embed continuous code-level security and assessment into our agile development processes. We’ve uncovered eight patterns that work together to transform cumbersome waterfall methodologies into efficient and secure agile development.
Top 5 best practice for delivering secure in-vehicle softwareRogue Wave Software
As consumer demands drive vehicle software to new limits, the rapid evolution of embedded software technology brings security and safety software challenges. These challenges are made more difficult because vehicle software continues to increase in size and complexity, elevating the risk of failures. Regardless of the difficulty, safety critical software must be secure and reliable to avoid severely damaging a company’s reputation and competitive advantage.
At Rogue Wave, it is our job to help customers ensure their software is secure and reliable. Our source code analysis tools have analyzed billions of lines of code across the mobile device, automotive, consumer electronics, medical technologies, telecom, military and aerospace sectors. Although the automotive industry comes with some unique challenges and requirements to ensure security and compliance, we know how to work in complex environments given our experience with more than 3,000 customers over the last 25 years, including the biggest brands in the automotive industry.
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentInfocyte
This webinar and presentation outlines the Infocyte HUNT threat detection and incident response platform, and how it enables state and local government organizations:
- Reduce risk across local, off-network, and cloud IT assets
- Expose and eliminate hidden cyber threats and vulnerabilities
- Streamline your overall security operations
- Achieve and maintain compliance
Using Infocyte, TIG can provide their customers with cost-effective, easy-to-manage, and on-demand cybersecurity consulting services (e.g. compromise assessments, incident response) and managed security services (e.g. managed detection and response).
Visit https://www.infocyte.com/ to learn more and request a demo, or request a cybersecurity risk assessment (Compromise Assessment) using the link below:
https://www.infocyte.com/free-compromise-assessment/
Mike Spaulding - Building an Application Security Programcentralohioissa
Application Security in many organizations is a simply a 'wish list' item, but with some staff and some training, AppSec can be a reality, even for a small organization. This talk will discuss the best practices, strategies and tactics, and resource planning to build an internal AppSec function - enterprise to 'mom & pop' operations will all benefit from this talk.
Implementing AppSec Policies with TeamMentortmbainjr131
This is a nice little prezo that keeps with its promise - a part 3 of 3 parts, and it pulls a story together to round out some solid product use cases going from the more practical application to the higher level application of a product - TeamMentor.
Best Practices for a Mature Application Security Program Webinar - February 2016Security Innovation
In this webinar, you will learn about trends in application security, threat modeling and risk rating your applications, and optimizing your Software Development Lifecycle. Highlights include:
- Research from the Ponemon Institute: Where have companies improved and where do they continue to struggle when it comes to application security?
- Understanding application security threats to different platforms and how to prioritize vulnerabilities.
- Optimizing your Software Development Lifecycle by using best practices, identifying skill gaps, and building a roadmap.
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
When did we forget that old saying, “prevention is the best medicine”, when it comes to cybersecurity? The current focus on mitigating real-time attacks and creating stronger defensive networks has overshadowed the many ways to prevent attacks right at the source – where security management has the biggest impact. Source code is where it all begins and where attack mitigation is the most effective.
In this webinar we’ll discuss methods of proactive threat assessment and mitigation that organizations use to advance cybersecurity goals today. From using static analysis to detect vulnerabilities as early as possible, to managing supply chain security through standards compliance, to scanning for and understanding potential risks in open source, these methods shift attack mitigation efforts left to simplify fixes and enable more cost-effective solutions.
Webinar recording: http://www.roguewave.com/events/on-demand-webinars/shifting-the-conversation-from-active-interception
Join security experts from Rogue Wave Software for the first in a three-part series on ensuring your code and processes are secure.
Network intrusion. Information theft. Outside reprogramming of systems. These examples are just a few of the several reasons why software security is becoming increasingly more important to all industries. No system is immune, so it’s more important than ever to understand why secure code matters and how to create safer applications.
In this first one-hour webinar you'll learn how to:
- Protect your systems from risk
- Comply with security standards
- Ensure the entire codebase is bulletproof
Enterprise Class Vulnerability Management Like A Bossrbrockway
A fluid and effective Vulnerability Management Framework, a core pillar in most Enterprise Security Architectures (ESA), remains a continual challenge to most organizations. Ask any of the major breach targets of the past several years. This talk takes the recent OWASP Application Security Verification Standard (ASVS) 2014 framework and applies it to Enterprise Vulnerability Management in an attempt to make a clearly complicated yet necessary part of your organization's ESA much more manageable, effective and efficient with feasible recommendations based on your business' needs.
How to Build and Validate Ransomware Attack Detections (Secure360)Scott Sutherland
Ransomware is a strategy for adversaries to make money – a strategy that’s proven successful. During this presentation, we will cover how ransomware works, ransomware trends to watch, best practices for prevention, and more. At the core of the discussion, Scott will explain how to build detections for common tactics, techniques, and procedures (TTPs) used by ransomware families and how to validate they work, ongoing, as part of the larger security program. Participants will leave this webinar with actionable advice to ensure their organization is more resilient to ever-evolving ransomware attacks.
Manoj Purandare- Stratergy towards an Effective Security Operations Centre -...Manoj Purandare ☁
Effective Security Operations Centre SOC building - by Manoj Purandare. This article tries to give a strategy towards building am effective SOC using its 4 major points steps and 11 effective steps recipe - for Organisation's / Govt's safety and security
Manoj Purandare- Stratergy towards an Effective Security Operations Centre -...Manoj Purandare ☁
Effective Security Operations Centre SOC building - by Manoj Purandare. This article tries to give a strategy towards building am effective SOC using its 4 major points steps and 11 effective steps recipe - for Organisation's / Govt's safety and security
Manoj Purandare- Stratergy towards an Effective Security Operations Centre -...Manoj Purandare ☁
Effective Security Operations Centre SOC building - by Manoj Purandare. This article tries to give a strategy towards building am effective SOC using its 4 major points steps and 11 effective steps recipe - for Organisation's / Govt's safety and security
Manoj Purandare- Stratergy towards an Effective Security Operations Centre -...Manoj Purandare ☁
Effective Security Operations Centre SOC building - by Manoj Purandare. This article tries to give a strategy towards building am effective SOC using its 4 major points steps and 11 effective steps recipe - for Organisation's / Govt's safety and security
Manoj Purandare- Stratergy towards an Effective Security Operations Centre -...Manoj Purandare ☁
Effective Security Operations Centre SOC building - by Manoj Purandare. This article tries to give a strategy towards building am effective SOC using its 4 major points steps and 11 effective steps recipe - for Organisation's / Govt's safety and security
Manoj purandare - Strategy towards an Effective Security Operations Centre - SOCManoj Purandare ☁
Effective Security Operations Centre SOC building - by Manoj Purandare. This article tries to give a strategy towards building am effective SOC using its 4 major points steps and 11 effective steps recipe - for Organisation's / Govt's safety and security
Effective Security Operations Centre SOC building - by Manoj Purandare. This article tries to give a strategy towards building am effective SOC using its 4 major points steps and 11 effective steps recipe - for Organisation's / Govt's safety and security
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...Manoj Purandare ☁
Effective Security Operations Centre SOC building - by Manoj Purandare. This article tries to give a strategy towards building am effective SOC using its 4 major points steps and 11 effective steps recipe - for Organisation's / Govt's safety and security
We all have good and bad thoughts from time to time and situation to situation. We are bombarded daily with spiraling thoughts(both negative and positive) creating all-consuming feel , making us difficult to manage with associated suffering. Good thoughts are like our Mob Signal (Positive thought) amidst noise(negative thought) in the atmosphere. Negative thoughts like noise outweigh positive thoughts. These thoughts often create unwanted confusion, trouble, stress and frustration in our mind as well as chaos in our physical world. Negative thoughts are also known as “distorted thinking”.
Palestine last event orientationfvgnh .pptxRaedMohamed3
An EFL lesson about the current events in Palestine. It is intended to be for intermediate students who wish to increase their listening skills through a short lesson in power point.
How to Create Map Views in the Odoo 17 ERPCeline George
The map views are useful for providing a geographical representation of data. They allow users to visualize and analyze the data in a more intuitive manner.
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
Manoj Purandare - Application Security - Secure Code Assessment Program - Prevention is better than Cure
1. CyberFrat Manoj Purandare
Secure Code Assessments [ SCA ]
Prevention is better than Cure
Part – 1 of 3
Manoj Purandare
General Manager – Application Security, ACPL Systems Ltd., India.
CISSP, PmP, PgMP, Cyber Crime Analyst, ITIL,
PCI-DSS Security Implementer
25 yrs of IT and Information Security expertise and experience
Application Security
2. CyberFrat
Secure Code Assessments [ SCA ]
Prevention is better than Cure
Part – 1 of 3
Manoj Purandare
General Manager – Application Security, ACPL Systems Ltd., India.
CISSP, PmP, PgMP, Cyber Crime Analyst, ITIL,
PCI-DSS Security Implementer
25 yrs of IT and Information Security expertise and experience
Application Security
Manoj Purandare
3. CyberFrat
• Current Scenario – SAST (Static Application Security Test)
• Equifax and other stories to learn from
• Application Security - must have SAST Planning
• What is SAST and secure code assessment [ SCA ]
• The Secure Programming Techniques -Abstract
• Your vulnerable application may have multiple risks
• Understand an Attack Surface to your applications
• The Secure Code Review Metrics
• Must have application security in annual risk assessments
• Tools and resources to assess and audit application security with secure code
assessments [SCA] maturity
• Your future – Prevention is better than Cure, start S-C-A
Application Security –Source Code Assessment topics
Manoj Purandare
4. CyberFrat
Application or Software & its Security ?
Manoj Purandare
Compare it to avoiding your daily junk food, and eating good food. Do regular exercise or Yoga,
to help generate good ideas & positive actions in your body.
But this food may be impure, or mixed with unwanted
ingredients, to make your body ill. So we need to have
control on our food habits and keep the impurities out
of our body.
How?
Stay Current – latest security tools
Stay Updated- latest patch & fixes
Stay Secure- Always Monitor & Control
5. CyberFrat
Before starting with Application Security
• This past June, just half-way into 2017, over 790 U.S. data breaches had already been
reported, according to the Identity Theft Resource Center (ITRC). This was a half-year
record high and a 29% jump from the same time period in 2016. And the 63% of those
breaches were caused by cyber attacks.
• Since more than 80% of cyber attacks target applications, having a strong application
security solution in place is vital. An application security tool will help your
development team identify security vulnerabilities before a hacker can, and fixes
them.
• The Equifax story and many such happened in past 3 years risen a doubt on our own
applications or 3rd party application which we use currently. Lack of visibility in usage
of Apache Struts. Refer these --CVE-2017-9805, CVE-2017-5638, CVE-2017-5638
Manoj Purandare
6. CyberFrat
Current Example of Security Breach (in short)
Manoj Purandare
• In this case, Equifax, like many companies, has a large portfolio of applications. As
revealed in the OSSRA report, most companies aren't doing a good job at tracking
open source, so unless Equifax had deployed a solution like Black Duck Hub, they
probably did not have a complete and reliable inventory of the open source
components in use in their applications.
• In March, when the vulnerability was disclosed, it would be highly likely that they
would not even know they were at risk, even if their security team was aware of the
vulnerability. Put simply, they were flying blind.
• Since the exploits for CVE-2017-5638 were widely available and being used almost
immediately after the vulnerability was disclosed.
• Equifax entered this period of very high risk without knowing it, at the same time
that hackers were actively scanning and probing to find websites and applications
that were vulnerable.
• If this is the case, the door was "unlocked" until they discovered the breach over
four months later.
7. CyberFrat
So What Can Companies Learn From This?
Manoj Purandare
• Visibility is critical. You can't protect yourself if you don't know what's in your code. If you
don't have a complete inventory of the open source your teams are using then you are leaving
your applications at risk.
• Open Source Vulnerability Management needs to be automated and tightly integrated into
development and DevOps tools and processes. You are only as secure as your weakest link.
Only by ensuring that all code is scanned before going into production can you be confident
that you have addressed the weak links.
• Lessen the GAP between :
a) when vulnerabilities are reported and
b) when you patch or mitigate them.
More than 10 new open source vulnerabilities are reported every day. Unfortunately, you can't
rely on the National Vulnerabilities Database (NVD) to give you early warning of them. Exploits
are already available for the latest Struts vuln (CVE-2017-9805), yet NVD still has no data for it.
Research has shown that it takes an average of three weeks for vulnerabilities to be
documented in NVD.
To solve this problem, Some independent organizations like Black Duck & others independently
monitors and researches vulnerabilities using hundreds of sources so they can provide same day
alerts for vulnerabilities like the CVE-2017-9805.
8. CyberFrat
• Application security includes measures taken by
monitoring and control of the flaws in the design,
development, deployment, upgrade, or
maintenance of the application.
• The primary focus is on layer 7 of the OSI model
• Secure Code Assessments [SCA] should be part of
an organization’s or vendor’s software (or system)
development life-cycle (SDLC), and even in case of
CICDs (Continuous Integration Continuous
Deployments)
• Monitor & try to control- GitHUB, Bitbucket and
other type of software code repositories, from
where developers may get in-secure code,
malware, etc.
Application Security - must have
Manoj Purandare
9. CyberFrat
Application Security - must have
• A key component of application security should be for developers and their
managers to be aware of
1. SCA (Secure Code Assessments) requirements,
2. common threats and quarterly/frequent SAST assessments on existing in-house & 3rd party apps.
3. effective countermeasures
• The application security knowledge and maturity is significantly lower today than
traditional network security, which is emphasized in my presentation.
Manoj Purandare
The Reason:
We all know
10. CyberFrat
What is SAST (Static Application Security Testing)
Manoj Purandare
SAST is a set of technologies designed to analyze application source code, byte code
and binaries for code + design conditions that are indicative of security vulnerabilities.
SAST solutions analyze an application from the “inside out” in a non-running state.
SAST has been emerging in India,and now has become the reality. Secure Code
Assessment [SCA] is the solution, by which the organizations are now going ahead, to
Save Time and Money
11. CyberFrat
SAST (Static Application Security Testing)
Manoj Purandare
Static Application Security Testing (SAST) – SAST solutions such as Source Code
Analysis (SCA) have the flexibility needed to perform in all types of SDLC
methodologies.
SAST solutions can be integrated directly into the development environment. This
enables the developers to monitor their code constantly. Scrum Masters and Product
Owners can also regulate security standards within their development teams and
organizations. This leads to quick mitigation of vulnerabilities and enhanced code
integrity. Thus an Organization can save lot of TIME, Efforts and MONEY.
Here’s a basic understanding in case of difference of SAST and DAST usage
12. CyberFrat
Approach of the common SCA tools
A tool goes for a thorough
security test (dynamic,
static or mobile) of an
application or a website
A Customer provides
code, binary portion of
application or gives URL
Customer can study the
results and remediate
found vulnerability , as per
the provided reports and
analysis
Manoj Purandare
For SAST - Secure Code Assessment(SCA) is nowadays widely used using open source
technologies and licensed SAST /DAST software, since organization have understood
its importance at early stage (Development and QA) and how to save Time and
Money, instead being liable for losses in millions ahead.
13. CyberFrat
Secure Programming Techniques:
An Abstract View of Program
• Avoid buffer overflow
• Secure software design
• Language-specific problems
• Application-specific issues
Program Component
Validate input
Respond
judiciously
Call other code carefully
Just remember these very basic things :
1. Validate all your inputs
• Command line inputs, environment variables, CGI inputs, …
• Don't just reject “bad” input, define “good” and reject all else
2. Avoid buffer overflow
3. Carefully call out to other resources
• Check all system calls and return values
14. CyberFrat
Secure Programming Techniques: An Abstract View of Program
Compartmentalization :
1. Divide system into modules
a) Each module serves a specific purpose
b) Assign different access rights to different modules
• Read/write access to files
• Read user or network input
• Execute privileged instructions (e.g., Unix root)
2. Principle of least privilege
• Give each module only the rights it needs
Defense in Depth
• Failure is unavoidable – plan for it
• Have a series of defenses
• If an error or attack is not caught by one mechanism, it should be caught by another
• Examples
• Firewall + network intrusion detection
• Fail securely
• Many, many vulnerabilities are related to error handling, debugging or testing features,
error messages
Keep it Simple
• Use standard, tested components. Don’t implement your own cryptography
• Don’t add unnecessary features. Extra functionality more ways to attack
• Use simple algorithms that are easy to verify
15. CyberFrat
• Unauthorized access to your company data or
sensitive customer.
• Theft of sensitive data to conduct identity theft, credit
card fraud or other crimes
• Potential damage of your brand
• Defacement of your websites
• Manipulation of data impacting data integrity, quality
and organization’s reputation
RISKS - Your Application may have multiple risks
Manoj Purandare
16. CyberFrat
• Denial of service; availability of data
• Redirection of users to malicious web sites; phishing
and malware distribution
• Attackers can assume valid user identities
• Access to hidden web pages using forged URLs
• Attacker’s hostile data can trick the interpreter to
execute unintended commands
• Development teams’ negligence in handling
application security while secure coding.
RISKS - Your Application may have multiple risks
Manoj Purandare
17. CyberFrat
Your existing
known Software
Common Considerations
• Lots of monetary or brand value flows
through them
• Compliance requirements (e.g. PCI, HIPAA,
FFIEC, etc.)
• Formal SLAs with customers
• You’ve had one or more previous security
incidents (or near misses)
This includes :-
• Critical legacy systems
• Notable web applications
To assess application security, many organizations focus on obvious software resources,
but overlook their overall inventory of applications and code from less obvious sources
when they analyze their assets.
Understand Attack surface to your Application
Manoj Purandare
18. CyberFrat
Consider the rest of Web
Applications Your Organization
Actually Develops and
Maintains
( Internal and 3rd party both)
You may miss some of these Analysis points :-
• Lack of knowledge, overlooked or forgot
they were there
• Line of business procured through non-
standard channels
• Added through a merger or acquisition
• Believed to be retired but still active
This includes :-
• Line of business applications
• Event-specific applications, e.g. holiday
apps, sales support, open enrollments
Understand Attack surface to your Application
Manoj Purandare
19. CyberFrat
Add In your
new Software
You Bought
from
Somewhere
You may miss some of these Analysis points :-
• Automated scanners are good at finding
web applications. Non-web, not so much.
• Contract language or un-validated
assumptions that the application vendor has
security “covered”
This includes –
• Less known or utilized line of business
applications
• Support applications
• Infrastructure applications
Understand Attack surface to your Application
Manoj Purandare
20. CyberFrat
Mobile /
Cloud based
You may miss some of these Analysis points :-
• Decentralized procurement
• Ineffective security policies
• Use of prohibited software
• Lack of awareness
This includes :-
• Support for line of business functions
• General marketing and promotion
• Financial analysis applications
• Software as a Service (SaaS)
• Mobile applications
• User procured software
Understand Attack surface to your Application
Manoj Purandare
21. CyberFrat
As perception of the problem of attack surface grows, the scope of the problem
increases – or, the more you know, the more you need to assess. This may also
included public facing, intranet and both.
Attack Surface:
The Security Officer’s and Auditor’s Perspective
Perception
Insight
Web
Applications
Mobile
Applications
Cloud
Applications
and Services
Client-Server
Applications
Desktop
Applications
Manoj Purandare
22. CyberFrat
Value and Risks are not equally distributed
• Some applications matter more than others
– Value and character of data being managed
– Value of the transactions being processed
– Cost of downtime and breaches
• Thus, all applications should not be treated the
same
– Allocate different levels of resources for assurance
– Select different assurance activities ( Application wise)
– Also must often address compliance and regulatory
requirements
– Also Check, verify and document the Quarterly, Half-
yearly, Yearly & external audits done on threats and
mitigations done on all the applications
Manoj Purandare
23. CyberFrat
Application Security and Network Security issues
are to be handled differently
Technical Rationale A Non-Technical Rationale
Manoj Purandare
24. CyberFrat
Mean Time to Fix (MTTF)
• A 2013 industry study from White Hat Security revealed that the
“Mean Time to Fix” for web application flaws categorized as
“serious” averaged 193 days across all industries.
• In a similar study from Veracode, 70% of 22,430 applications
submitted to their testing platform in 2012 contained
exploitable security vulnerabilities
• Take Strict action on your internal and 3rd party applications as
well.
• Try to follow-up and maintain the Critical & High vulnerabilities
to be resolved within 1st quarter or 2 (90 to 180 days) only.
• Initially we can assume to target Medium and Low, and the Info
& Best practices type of suggested vulnerabilities to be
resolved within 1st quarter to 3 (90 to 270 days).
Manoj Purandare
25. CyberFrat
Mean Time to Fix (MTTF)
• How would you report to your management that a “serious”
and likely exploitable vulnerability was present on your primary
public facing web site or a 3rd party hosted portal for more than
six months?
• Verizon’s 2013 Breach Report says 90% of attacks last year were
perpetrated by outsiders and 52% used some form of hacking.
How does this help you explain application risk?
• Check whether the Application Security Analyst, Information
Security Analyst, Software testers, Quality Analyst be armed &
prepared /utilized with knowledge of FISMA, SANS, PCI-DSS
Security implementation knowledge and practice as per
compliance and world standards.
• As a proactive measure - Go for the right tools for Secure Code
Assessment / Review for quarterly, half-yearly, yearly
assessments without depending and waiting for external
assessments/audits.
Manoj Purandare
26. CyberFrat
No Automated Scanner can find all Vulnerabilities-
You have to use your brain
• There is no “silver bullet” for identifying application security
vulnerabilities. There are different classes of tools ranging
from static code scanners that assess the code to dynamic
scanners that analyze logic and data flow. Generally, 30% to
40% of vulnerabilities can be identified by scanners; the
remainder are uncovered by other means.
• Manual testing allows an informed and experienced tester to
attempt to manipulate the application, escalate privileges or
get the application to operate in a way it was not designed to
do.
• But wait, there’s more…………
Manoj Purandare
27. CyberFrat
Unauthenticated
Automated Scan
Common Application Test methods
Automated
Source Code
Scanning
Blind Penetration
Testing
Manual Source
Code Review
Authenticated
Automated Scan
Informed Manual
Testing
Automated
Binary Analysis
Manual Binary
Analysis
Application security goes well beyond simply running a
scanning tool. For critical or high value applications, or
those that process sensitive data, thorough testing may
actually include a combination of several methods.
Manoj Purandare
28. CyberFrat
The Secure Code Review Metrics
• Decide what to measure
• Set the minimum benchmark
• Define reporting requirements to Management, and customers.
• Use a hybrid approach to integrating standards into your SDLC model of
choice.
• Map metrics to a certain level of completion and security testing and
monitoring programs.
• Communicate, Co-ordinate, Document all the components related to your
Secure SDLC before initiating a Secure Code Assessment Program.
• Have a definite approach with Management and team consensus to
successfully achieve your goals in this Secure Code Review.
29. CyberFrat
Metrics by SDLC Phase (General Model)
SDLC Phase Secure Code Metric
Requirements
•Percentage of security requirements given in project specifications.
•Percentage of security requirements subject to cost/benefit, and
risk analysis.
•Percentage of security requirements which are considered in threat
models.
Design
•Percentage of design components subjected to attack surface
analysis.
•Percentage of security controls that are covered by security design
patterns.
•Percentage of security controls which pose an architectural risk.
Implementation
(Coding)
•Percentage of application components subject to manual and/or
automated source code review.
•Percentage of code deficiencies detected during peer reviews.
•Percentage of application components subject to code
integrity/signing procedures.
Verification
(Testing)
•Percentage of common weaknesses and exposures detected per
requirement specification.
•Percentage of security controls within the application that met the
required specification for software assurance.
30. CyberFrat
But then, where is the problem ?
You cannot bring all the code & developers to centralized area to resolve all at
once.
Good things needs time, strategy and resources to implement, in a structured
manner
Consensus building across multiple business areas is not easy
Training & updating all developers every time
Centralizing source code analysis is problematic
Finding the right reporting metrics for Senior Management is critical to project
success
For this,
I have a solution
31. CyberFrat
Application Security – Define your and your Auditors basic role
Information Security Professionals
• Promote SCA awareness in your
organization .
• Confirm that application security testing
is part of your overall security program –
• Demand that all applications developed
by 3rd parties be tested and remediated
in Dev & QA stage, prior to being placed
in production
• Get all developers and their managers
trained on SCA
IT Auditors
• Be an FPG- Friend, Philosopher & Guide
with the Organization to meet the
standards & compliances.
• Influence your Chief Audit Executive to
include SCA in the organization’s annual risk
assessment
• Increase your relevance and value to your
organization by identifying risks associated
with poorly coded applications
• Conduct a simple initial audit to assess
what controls are in place
• Conduct a subsequent audit to determine
the effectiveness of those controls;
measure MTTF
• Consider the standards and compliances
such as FISMA/SANS/PCI-DSS etc.
Manoj Purandare
as Prevention is better than cure
thus saving TIME and MONEY of your
organization at the initial stage itself
Obtain and review the SDLC from a
security perspective as Secure SDLC even
in case of CICD (Continuous Integration
Continuous Deployment environments)
32. CyberFrat
Tools and Resources
• Open Software Assurance Maturity Model (OpenSAMM) – A
freely available open source framework that organizations can
use to build and assess their software security programs
www.opensamm.org
• The Open Web Application Security Project (OWASP) – Worldwide
not-for-profit organization focused on improving the security of
software. Source of valuable free resources www.owasp.org
• Open Source or Low Cost Application Security Scanners – OWASP
Zed Attack Proxy (ZAP), w3af, Mavituna Netsparker, Websecurify,
Wapiti, N- Stalker, SkipFish, Scrawlr, Acunetix, and many more to
do basic discovery work
• Also consider survey in case of Licensed tools like Fortify,
Checkmarx, Veracode, and many such tools & resources,
comparing the best features as your needs.
• Your study towards right tools depends on your requirements.
33. CyberFrat
The OWASP Top 10 For 2013
• A1 Injection
• A2 Broken Authentication and Session Management
• A3 Cross-Site Scripting (XSS)
• A4 Insecure Direct Object References
• A5 Security Misconfiguration
• A6 Sensitive Data Exposure
• A7 Missing Function Level Access Control
• A8 Cross-Site Request Forgery (CSRF)
• A9 Using Components with Known Vulnerabilities
• A10 Unvalidated Redirects and Forwards
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Manoj Purandare
Now you can also check of OWASP Top ten 2017. Also it is recommended to be
prepared to concentrate 2013 top 30 since the categories may get changed as per
more vulnerabilities, which you may need to concentrate.
34. CyberFrat
Example SCA Audit Work Program
Software Assurance Maturity Model (SAMM) Scorecard
Level 1
Maturity
Level
Activity
Business
Functions
# Security Practices/Phase A B
Governance
1 Strategy & Metrics 0.5 0 1
2 Policy & Compliance 0.5 0 1
3 Education & Guidance 0 0 0
Construction
4 Threat Assessment 0 0 0
5 Security Requirements 0.5 0 1
6 Secure Architecture 0 0 0
Verification
7 Design Review 0.5 0 1
8 Code Review 0 0 0
9 Security Testing 0 0 0
Deployment
10 Vulnerability Management 1 1 1
11 Environment Hardening 1 1 1
12 Operational Enablement 0 0 0
SAMM Valid Maturity Levels
0 Implicit starting point representing the activities in the Practice being unfulfilled
1 Initial understanding and ad hoc provision of Security Practice
2 Increase efficiency and/or effectiveness of the Security Practice
3 Comprehensive mastery of the Security Practice at scale
Legend
Objective Activity was met.
Objective Activity was not met.
Manoj Purandare
38. CyberFrat
Basic requirements to understand in case of
Open Source Software or Licensed VM tools
– Support report, customization, usage as per FISMA, SANS, OWASP, PC_DSS, etc.
– Support consolidation and de-duplication of imported results from scanner tools, manual
testing and threat modeling
– Provide extensive reports on application security status and trending over time
– Translate application vulnerabilities into software defects and pushes tasks to developers
in the tools and systems they are already using
– Create virtual Web Application Firewall (WAF) rules to help block malicious traffic while
vulnerabilities are being resolved. While your organization takes on remediation of your
applications, virtual patching helps guard against common vulnerabilities such as Cross-
Site Scripting (XSS) and SQL Injections.
– Compatible with a number of commercial and freely available dynamic and static scanning
technologies, SaaS testing platforms, IDS/IPS and WAFs and defect trackers
– Recommended to have – Virtual Application Scanner – Will allow audit and security
professionals to identify, track and report on application security vulnerabilities and
remediation activities/effectiveness.
– Should be Quarterly updating their Scan Engine, Vulnerability Databases, & Support,
facilities and services
– This may match to fulfill our quarterly / half-yearly internal compliance, Information
Security Policies, Security standards, frameworks and compliance – FISMA, SANS, PCI-DSS,
OWASP etc. as per organization’s convenience. Manoj Purandare
39. CyberFrat
Queries / Suggestions welcome
Manoj Purandare
You can reach me for any further assistance and consulting in :
- SAST and DAST based vulnerabilities assessments and guidance.
- How to save yourself from Hacks
- Safeguarding your IT Assets
- Secure Code Assessments / Static Code Review
- Security testing for Information Assets, Network and applications.
- Security Audits for your Applications / Websites and Infosec too.
- Forensics and Investigation and Consulting
- Information Security Consulting.
- A query /suggestion in case of - Application Security / Information Security
40. CyberFrat Manoj Purandare
My sincere acknowledgements and Special Thanks to all
1. My friend - Gaurav Batra, APAC, CISO, Mondelez International & CYBERFRAT
2. All the members of Vidyalankar Institute of Technology.
3. All the members of CYBERFRAT Team
4. All my friends in our Cyber FRAT Groups, re-knowned members of Infosec, Security,
Investigations field worldwide.
5. Websites: Owasp.org, blackducksoftware.com, Itcentralisation.com, and many other
important sites.
6. Joe Krull, Director, Denim Group
7. My colleagues, seniors, and all the members of Information Security Industry.
41. CyberFrat
Thank you
Manoj Purandare
Manoj Purandare
General Manager – Application Security – ACPL Systems Ltd.
manojypurandare@gmail.com, technicalmanoj@gmail.com
www.linkedin.com/in/manojypurandare
Mobile: 9820841115 / 1111