SlideShare a Scribd company logo

Optimizing Your Application Security Program with Netsparker and ThreadFix

Denim Group
Denim Group

The Netsparker web application security scanner allows both development and security teams to easily test web applications for common security vulnerabilities. This webinar demonstrates how Netsparker can be used with the ThreadFix vulnerability resolution platform to correlate testing results, prioritize risk decisions based on data, and transition security vulnerabilities to development teams in the tools they’re already using. Combining the application vulnerability correlation capabilities of ThreadFix with the proof-based vulnerability scanning technology of Netsparker allows organizations to take a quantitative approach to addressing application security risk.

1 of 28
Download to read offline
© 2016 Denim Group – All Rights Reserved Optimizing Your Application Security Program with Netsparker and ThreadFix October 19, 2016 Ferruh Mavituna Product Architect and CEO, Netsparker Ltd. Dan Cornell CTO, Denim Group
© 2016 Denim Group – All Rights Reserved Agenda • State of Application Security • Netsparker Overview • ThreadFix Overview • ThreadFix / Netsparker Integration 1
© 2016 Denim Group – All Rights Reserved 2
© 2016 Denim Group – All Rights Reserved Netsparker automatically finds and reports security issues in web sites and web services. Automated Web Application Security Netsparker Desktop Windows only software, easy to install and use. Netsparker Cloud SaaS version of Netsparker. Uses the very same engine, scalable and comes with enterprise features. 3
© 2016 Denim Group – All Rights Reserved Netsparker Desktop Windows Software It simulates a real attacker to find vulnerabilities in web applications automatically. Allows users to carry out advanced security tasks and especially useful for security consultants and in house security teams. 4
© 2016 Denim Group – All Rights Reserved Supports Authentication Netsparker’s Core Features Ease of Use Supports Modern Web Proof Based Scanning Integrated Exploitation Supports Mobile/Web Services uniquefeature 5
© 2016 Denim Group – All Rights Reserved Netsparker Cloud Netsparker Cloud Netsparker – Scalable, can scan thousands of websites within hours. Designed for enterprises, big teams and big datasets in mind. API for integrating with other solutions, internal products. On-premises or managed. Scalable Designed for Enterprise API uniquefeature 6
© 2016 Denim Group – All Rights Reserved Security Testing Process 7
© 2016 Denim Group – All Rights Reserved Automated Security Testing Process 2 3 Configure Custom 404, Authentication, URL Rewrite Rules etc.1 Configure and Start the Scan If there is a Local File Inclusion, exploit it safely to see that LFI is real and not a False Positive, if it’s SQL Injection, safely read data from the database. Repeat this for every vulnerability to eliminate false positives. Check if the results are correct Prioritize important issues, communicate with the developers and make necessary changes. Deploy the new version of the application and Re- test. Take Action 8
© 2016 Denim Group – All Rights Reserved Process with Netsparker & ThreadFix 2 3 URL Rewrite, will be discovered dynamically, Custom 404 will be handled automatically, authentication only requires you to enter URL, username and password. Supports SPA (Single Page Applications) automatically. 1 Start your scan quickly Netsparker will give you the proof Now you know which vulnerabilities are real, without spending any more time on them, pass them to your development team to start addressing these issues immediately. You don’t want to leave your website exposed during this process. Now import these issues into ThreadFix and generate rules for your WAF without worrying about False Positives! Take Action Proof Based Scanning Get the results with proof. If there is a SQL Injection, Netsparker will extract some data from the target web application’s database, if there is a LFI, Netsparker will give you a file from the target system etc. This applies to all direct impact vulnerabilities. 9
© 2016 Denim Group – All Rights Reserved Proof Based Scanning False Positive or not? 10
© 2016 Denim Group – All Rights Reserved A scanner you can { } 11
© 2016 Denim Group – All Rights Reserved Scalability How can you scan 1,000 applications? More importantly how can you address 10,000 issues in these applications? 12
© 2016 Denim Group – All Rights Reserved Netsparker Cloud & ThreadFix In 24 Hours you can find & hot-patch 10,000 vulnerabilities Netsparker Cloud can scan thousands of websites under 24 hours. API Import the results to ThreadFix Because results will be clearly flagged as CONFIRMED and 100% real, now you can just generate WAF rules without worrying about False Positives. Congratulations you have improved the state of your web application security significantly just under 24 hours. You still need to fix all these issues and not rely on WAF but the improvement will be huge. 13
© 2016 Denim Group – All Rights Reserved ThreadFix Overview • Create a consolidated view of your applications and vulnerabilities • Prioritize application risk decisions based on data • Reduce risk and provide protection via virtual patching • Translate vulnerabilities to developers in the tools they are already using 14
© 2016 Denim Group – All Rights Reserved ThreadFix Overview 15
© 2016 Denim Group – All Rights Reserved Create a consolidated view of your applications and vulnerabilities 16
© 2016 Denim Group – All Rights Reserved Application Portfolio Tracking 17
© 2016 Denim Group – All Rights Reserved Vulnerability Import 18
© 2016 Denim Group – All Rights Reserved Vulnerability Consolidation 19
© 2016 Denim Group – All Rights Reserved Prioritize application risk decisions based on data 20
© 2016 Denim Group – All Rights Reserved Vulnerability Prioritization 21
© 2016 Denim Group – All Rights Reserved Reporting and Metrics 22
© 2016 Denim Group – All Rights Reserved Reduce risk and provide protection via virtual patching 23
© 2016 Denim Group – All Rights Reserved WAF Virtual Patching 24
© 2016 Denim Group – All Rights Reserved Translate vulnerabilities to developers in the tools they are already using 25
© 2016 Denim Group – All Rights Reserved Defect Tracker Integration 26
© 2016 Denim Group – All Rights Reserved Questions and Contact ThreadFix www.threadfix.it Netsparker www.netsparker.com 27

Recommended

Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Denim Group
 
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
Denim Group
 
Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...
Denim Group
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Denim Group
 
Clear AppSec Visibility with AppSpider and ThreadFix
Clear AppSec Visibility with AppSpider and ThreadFix Clear AppSec Visibility with AppSpider and ThreadFix
Clear AppSec Visibility with AppSpider and ThreadFix
Denim Group
 
Achieving Software Assurance with Hybrid Analysis Mapping
Achieving Software Assurance with Hybrid Analysis Mapping Achieving Software Assurance with Hybrid Analysis Mapping
Achieving Software Assurance with Hybrid Analysis Mapping
Denim Group
 
What a locked down law firm looks like updated
What a locked down law firm looks like updatedWhat a locked down law firm looks like updated
What a locked down law firm looks like updated
Denim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
Denim Group
 

Recommended

Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Denim Group
 
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
Denim Group
 
Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...
Denim Group
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Denim Group
 
Clear AppSec Visibility with AppSpider and ThreadFix
Clear AppSec Visibility with AppSpider and ThreadFix Clear AppSec Visibility with AppSpider and ThreadFix
Clear AppSec Visibility with AppSpider and ThreadFix
Denim Group
 
Achieving Software Assurance with Hybrid Analysis Mapping
Achieving Software Assurance with Hybrid Analysis Mapping Achieving Software Assurance with Hybrid Analysis Mapping
Achieving Software Assurance with Hybrid Analysis Mapping
Denim Group
 
What a locked down law firm looks like updated
What a locked down law firm looks like updatedWhat a locked down law firm looks like updated
What a locked down law firm looks like updated
Denim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
Denim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
Denim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
Denim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)
Denim Group
 
Waratek ISACA Webinar
Waratek ISACA WebinarWaratek ISACA Webinar
Waratek ISACA Webinar
Waratek Ltd
 
Waratek presentation for RANT November 2016
Waratek presentation for RANT November 2016Waratek presentation for RANT November 2016
Waratek presentation for RANT November 2016
Waratek Ltd
 
Waratek Securing Red Hat JBoss from the Inside Out
Waratek Securing Red Hat JBoss from the Inside OutWaratek Securing Red Hat JBoss from the Inside Out
Waratek Securing Red Hat JBoss from the Inside Out
Waratek Ltd
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
Denim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
Denim Group
 
Waratek overview 2016
Waratek overview 2016Waratek overview 2016
Waratek overview 2016
Waratek Ltd
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat Yourself
Denim Group
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
IBM Security
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
Denim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
Denim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
Denim Group
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Denim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
Denim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
Denim Group
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
Eric Smalling
 
Guvenli Flash Uygulamalari
Guvenli Flash UygulamalariGuvenli Flash Uygulamalari
Guvenli Flash Uygulamalari
Ferruh Mavituna
 
Web 2.0 Guvenlik Trendleri
Web 2.0 Guvenlik TrendleriWeb 2.0 Guvenlik Trendleri
Web 2.0 Guvenlik Trendleri
Ferruh Mavituna
 

More Related Content

What's hot

ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
Denim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
Denim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)
Denim Group
 
Waratek ISACA Webinar
Waratek ISACA WebinarWaratek ISACA Webinar
Waratek ISACA Webinar
Waratek Ltd
 
Waratek presentation for RANT November 2016
Waratek presentation for RANT November 2016Waratek presentation for RANT November 2016
Waratek presentation for RANT November 2016
Waratek Ltd
 
Waratek Securing Red Hat JBoss from the Inside Out
Waratek Securing Red Hat JBoss from the Inside OutWaratek Securing Red Hat JBoss from the Inside Out
Waratek Securing Red Hat JBoss from the Inside Out
Waratek Ltd
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
Denim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
Denim Group
 
Waratek overview 2016
Waratek overview 2016Waratek overview 2016
Waratek overview 2016
Waratek Ltd
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat Yourself
Denim Group
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
IBM Security
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
Denim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
Denim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
Denim Group
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Denim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
Denim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
Denim Group
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
Eric Smalling
 

What's hot (20)

ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)
 
Waratek ISACA Webinar
Waratek ISACA WebinarWaratek ISACA Webinar
Waratek ISACA Webinar
 
Waratek presentation for RANT November 2016
Waratek presentation for RANT November 2016Waratek presentation for RANT November 2016
Waratek presentation for RANT November 2016
 
Waratek Securing Red Hat JBoss from the Inside Out
Waratek Securing Red Hat JBoss from the Inside OutWaratek Securing Red Hat JBoss from the Inside Out
Waratek Securing Red Hat JBoss from the Inside Out
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
 
Waratek overview 2016
Waratek overview 2016Waratek overview 2016
Waratek overview 2016
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat Yourself
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 

Viewers also liked

Guvenli Flash Uygulamalari
Guvenli Flash UygulamalariGuvenli Flash Uygulamalari
Guvenli Flash Uygulamalari
Ferruh Mavituna
 
Web 2.0 Guvenlik Trendleri
Web 2.0 Guvenlik TrendleriWeb 2.0 Guvenlik Trendleri
Web 2.0 Guvenlik Trendleri
Ferruh Mavituna
 
Laravel ile Hızlı ve Modern Web Programlama, Ömer Çıtak
Laravel ile Hızlı ve Modern Web Programlama, Ömer ÇıtakLaravel ile Hızlı ve Modern Web Programlama, Ömer Çıtak
Laravel ile Hızlı ve Modern Web Programlama, Ömer Çıtak
Netsparker Türkiye
 
POC-Netsparker
POC-NetsparkerPOC-Netsparker
POC-NetsparkerRaj Sawant
 
One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)
Ferruh Mavituna
 
Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFix
Virtual Forge
 
OWTG 2016, Web Çatı Şablonlarının Güvenliği (SSTI), Ömer Çıtak
OWTG 2016, Web Çatı Şablonlarının Güvenliği (SSTI), Ömer ÇıtakOWTG 2016, Web Çatı Şablonlarının Güvenliği (SSTI), Ömer Çıtak
OWTG 2016, Web Çatı Şablonlarının Güvenliği (SSTI), Ömer Çıtak
Netsparker Türkiye
 
Tutorial Hacker
Tutorial HackerTutorial Hacker
Tutorial Hackerzihoenie
 
How To Detect Xss
How To Detect XssHow To Detect Xss
How To Detect Xss
Ferruh Mavituna
 
Fortify - Source Code Analyzer
Fortify - Source Code AnalyzerFortify - Source Code Analyzer
Fortify - Source Code Analyzer
n|u - The Open Security Community
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
Denim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP InstallationenABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
Virtual Forge
 
Web Servislerinin Hacklenmesi, Ömer Çıtak
Web Servislerinin Hacklenmesi, Ömer ÇıtakWeb Servislerinin Hacklenmesi, Ömer Çıtak
Web Servislerinin Hacklenmesi, Ömer Çıtak
Netsparker Türkiye
 
Web Tarayıcılarının Evrimi
Web Tarayıcılarının EvrimiWeb Tarayıcılarının Evrimi
Web Tarayıcılarının Evrimi
Ferruh Mavituna
 

Viewers also liked (15)

Guvenli Flash Uygulamalari
Guvenli Flash UygulamalariGuvenli Flash Uygulamalari
Guvenli Flash Uygulamalari
 
Web 2.0 Guvenlik Trendleri
Web 2.0 Guvenlik TrendleriWeb 2.0 Guvenlik Trendleri
Web 2.0 Guvenlik Trendleri
 
Laravel ile Hızlı ve Modern Web Programlama, Ömer Çıtak
Laravel ile Hızlı ve Modern Web Programlama, Ömer ÇıtakLaravel ile Hızlı ve Modern Web Programlama, Ömer Çıtak
Laravel ile Hızlı ve Modern Web Programlama, Ömer Çıtak
 
POC-Netsparker
POC-NetsparkerPOC-Netsparker
POC-Netsparker
 
One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)
 
Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFix
 
OWTG 2016, Web Çatı Şablonlarının Güvenliği (SSTI), Ömer Çıtak
OWTG 2016, Web Çatı Şablonlarının Güvenliği (SSTI), Ömer ÇıtakOWTG 2016, Web Çatı Şablonlarının Güvenliği (SSTI), Ömer Çıtak
OWTG 2016, Web Çatı Şablonlarının Güvenliği (SSTI), Ömer Çıtak
 
Tutorial Hacker
Tutorial HackerTutorial Hacker
Tutorial Hacker
 
How To Detect Xss
How To Detect XssHow To Detect Xss
How To Detect Xss
 
Fortify - Source Code Analyzer
Fortify - Source Code AnalyzerFortify - Source Code Analyzer
Fortify - Source Code Analyzer
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
 
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP InstallationenABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
 
Web Servislerinin Hacklenmesi, Ömer Çıtak
Web Servislerinin Hacklenmesi, Ömer ÇıtakWeb Servislerinin Hacklenmesi, Ömer Çıtak
Web Servislerinin Hacklenmesi, Ömer Çıtak
 
Web Tarayıcılarının Evrimi
Web Tarayıcılarının EvrimiWeb Tarayıcılarının Evrimi
Web Tarayıcılarının Evrimi
 

Similar to Optimizing Your Application Security Program with Netsparker and ThreadFix

Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Denim Group
 
Shifting Left…AND Right to Ensure Full Application Security Coverage
Shifting Left…AND Right to Ensure Full Application Security CoverageShifting Left…AND Right to Ensure Full Application Security Coverage
Shifting Left…AND Right to Ensure Full Application Security Coverage
DevOps.com
 
Desktop Software Asset Management – Today and Tomorrow
Desktop Software Asset Management – Today and TomorrowDesktop Software Asset Management – Today and Tomorrow
Desktop Software Asset Management – Today and Tomorrow
Flexera
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Denim Group
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
Denim Group
 
B&W Netsparker overview
B&W Netsparker overviewB&W Netsparker overview
B&W Netsparker overview
Marusya Maruzhenko
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving Infrastructures
SBWebinars
 
AppTrana SECaaS (Security as a Service)
AppTrana SECaaS (Security as a Service)AppTrana SECaaS (Security as a Service)
AppTrana SECaaS (Security as a Service)
IndusfacePvtLtd
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program
Denim Group
 
Windows 10 Rapid Release Management - Featuring Adaptiva
Windows 10 Rapid Release Management - Featuring AdaptivaWindows 10 Rapid Release Management - Featuring Adaptiva
Windows 10 Rapid Release Management - Featuring Adaptiva
Flexera
 
Veracode Corporate Overview - Print
Veracode Corporate Overview - PrintVeracode Corporate Overview - Print
Veracode Corporate Overview - PrintAndrew Kanikuru
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Salil Kumar Subramony
 
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...Risk Analysis Consultants, s.r.o.
 
10 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 202310 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 2023
SofiaCarter4
 
Continuous Security Testing
Continuous Security TestingContinuous Security Testing
Continuous Security Testing
Ray Lai
 
Thread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalThread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final Final
Robin Lutchansky
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
Proteja sus datos en cualquier servicio Cloud y Web de forma unificada
Proteja sus datos en cualquier servicio Cloud y Web de forma unificadaProteja sus datos en cualquier servicio Cloud y Web de forma unificada
Proteja sus datos en cualquier servicio Cloud y Web de forma unificada
Cristian Garcia G.
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Denim Group
 

Similar to Optimizing Your Application Security Program with Netsparker and ThreadFix (20)

Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
 
Shifting Left…AND Right to Ensure Full Application Security Coverage
Shifting Left…AND Right to Ensure Full Application Security CoverageShifting Left…AND Right to Ensure Full Application Security Coverage
Shifting Left…AND Right to Ensure Full Application Security Coverage
 
Desktop Software Asset Management – Today and Tomorrow
Desktop Software Asset Management – Today and TomorrowDesktop Software Asset Management – Today and Tomorrow
Desktop Software Asset Management – Today and Tomorrow
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
B&W Netsparker overview
B&W Netsparker overviewB&W Netsparker overview
B&W Netsparker overview
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving Infrastructures
 
AppTrana SECaaS (Security as a Service)
AppTrana SECaaS (Security as a Service)AppTrana SECaaS (Security as a Service)
AppTrana SECaaS (Security as a Service)
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program
 
Windows 10 Rapid Release Management - Featuring Adaptiva
Windows 10 Rapid Release Management - Featuring AdaptivaWindows 10 Rapid Release Management - Featuring Adaptiva
Windows 10 Rapid Release Management - Featuring Adaptiva
 
Veracode Corporate Overview - Print
Veracode Corporate Overview - PrintVeracode Corporate Overview - Print
Veracode Corporate Overview - Print
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green Method
 
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
 
10 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 202310 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 2023
 
Continuous Security Testing
Continuous Security TestingContinuous Security Testing
Continuous Security Testing
 
Thread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalThread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final Final
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
Proteja sus datos en cualquier servicio Cloud y Web de forma unificada
Proteja sus datos en cualquier servicio Cloud y Web de forma unificadaProteja sus datos en cualquier servicio Cloud y Web de forma unificada
Proteja sus datos en cualquier servicio Cloud y Web de forma unificada
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 

More from Denim Group

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 
An OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingAn OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless Computing
Denim Group
 
Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7
Denim Group
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset
Denim Group
 
Reducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsReducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained Environments
Denim Group
 

More from Denim Group (20)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 
An OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingAn OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless Computing
 
Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset
 
Reducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsReducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained Environments
 

Recently uploaded

Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 

Recently uploaded (20)

Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 

Optimizing Your Application Security Program with Netsparker and ThreadFix

  • 1. © 2016 Denim Group – All Rights Reserved Optimizing Your Application Security Program with Netsparker and ThreadFix October 19, 2016 Ferruh Mavituna Product Architect and CEO, Netsparker Ltd. Dan Cornell CTO, Denim Group
  • 2. © 2016 Denim Group – All Rights Reserved Agenda • State of Application Security • Netsparker Overview • ThreadFix Overview • ThreadFix / Netsparker Integration 1
  • 3. © 2016 Denim Group – All Rights Reserved 2
  • 4. © 2016 Denim Group – All Rights Reserved Netsparker automatically finds and reports security issues in web sites and web services. Automated Web Application Security Netsparker Desktop Windows only software, easy to install and use. Netsparker Cloud SaaS version of Netsparker. Uses the very same engine, scalable and comes with enterprise features. 3
  • 5. © 2016 Denim Group – All Rights Reserved Netsparker Desktop Windows Software It simulates a real attacker to find vulnerabilities in web applications automatically. Allows users to carry out advanced security tasks and especially useful for security consultants and in house security teams. 4
  • 6. © 2016 Denim Group – All Rights Reserved Supports Authentication Netsparker’s Core Features Ease of Use Supports Modern Web Proof Based Scanning Integrated Exploitation Supports Mobile/Web Services uniquefeature 5
  • 7. © 2016 Denim Group – All Rights Reserved Netsparker Cloud Netsparker Cloud Netsparker – Scalable, can scan thousands of websites within hours. Designed for enterprises, big teams and big datasets in mind. API for integrating with other solutions, internal products. On-premises or managed. Scalable Designed for Enterprise API uniquefeature 6
  • 8. © 2016 Denim Group – All Rights Reserved Security Testing Process 7
  • 9. © 2016 Denim Group – All Rights Reserved Automated Security Testing Process 2 3 Configure Custom 404, Authentication, URL Rewrite Rules etc.1 Configure and Start the Scan If there is a Local File Inclusion, exploit it safely to see that LFI is real and not a False Positive, if it’s SQL Injection, safely read data from the database. Repeat this for every vulnerability to eliminate false positives. Check if the results are correct Prioritize important issues, communicate with the developers and make necessary changes. Deploy the new version of the application and Re- test. Take Action 8
  • 10. © 2016 Denim Group – All Rights Reserved Process with Netsparker & ThreadFix 2 3 URL Rewrite, will be discovered dynamically, Custom 404 will be handled automatically, authentication only requires you to enter URL, username and password. Supports SPA (Single Page Applications) automatically. 1 Start your scan quickly Netsparker will give you the proof Now you know which vulnerabilities are real, without spending any more time on them, pass them to your development team to start addressing these issues immediately. You don’t want to leave your website exposed during this process. Now import these issues into ThreadFix and generate rules for your WAF without worrying about False Positives! Take Action Proof Based Scanning Get the results with proof. If there is a SQL Injection, Netsparker will extract some data from the target web application’s database, if there is a LFI, Netsparker will give you a file from the target system etc. This applies to all direct impact vulnerabilities. 9
  • 11. © 2016 Denim Group – All Rights Reserved Proof Based Scanning False Positive or not? 10
  • 12. © 2016 Denim Group – All Rights Reserved A scanner you can { } 11
  • 13. © 2016 Denim Group – All Rights Reserved Scalability How can you scan 1,000 applications? More importantly how can you address 10,000 issues in these applications? 12
  • 14. © 2016 Denim Group – All Rights Reserved Netsparker Cloud & ThreadFix In 24 Hours you can find & hot-patch 10,000 vulnerabilities Netsparker Cloud can scan thousands of websites under 24 hours. API Import the results to ThreadFix Because results will be clearly flagged as CONFIRMED and 100% real, now you can just generate WAF rules without worrying about False Positives. Congratulations you have improved the state of your web application security significantly just under 24 hours. You still need to fix all these issues and not rely on WAF but the improvement will be huge. 13
  • 15. © 2016 Denim Group – All Rights Reserved ThreadFix Overview • Create a consolidated view of your applications and vulnerabilities • Prioritize application risk decisions based on data • Reduce risk and provide protection via virtual patching • Translate vulnerabilities to developers in the tools they are already using 14
  • 16. © 2016 Denim Group – All Rights Reserved ThreadFix Overview 15
  • 17. © 2016 Denim Group – All Rights Reserved Create a consolidated view of your applications and vulnerabilities 16
  • 18. © 2016 Denim Group – All Rights Reserved Application Portfolio Tracking 17
  • 19. © 2016 Denim Group – All Rights Reserved Vulnerability Import 18
  • 20. © 2016 Denim Group – All Rights Reserved Vulnerability Consolidation 19
  • 21. © 2016 Denim Group – All Rights Reserved Prioritize application risk decisions based on data 20
  • 22. © 2016 Denim Group – All Rights Reserved Vulnerability Prioritization 21
  • 23. © 2016 Denim Group – All Rights Reserved Reporting and Metrics 22
  • 24. © 2016 Denim Group – All Rights Reserved Reduce risk and provide protection via virtual patching 23
  • 25. © 2016 Denim Group – All Rights Reserved WAF Virtual Patching 24
  • 26. © 2016 Denim Group – All Rights Reserved Translate vulnerabilities to developers in the tools they are already using 25
  • 27. © 2016 Denim Group – All Rights Reserved Defect Tracker Integration 26
  • 28. © 2016 Denim Group – All Rights Reserved Questions and Contact ThreadFix www.threadfix.it Netsparker www.netsparker.com 27