Based on the information provided, it is difficult to definitively say which risk is "bigger" without more context about the system and environment. Some factors to consider when comparing risks include:
- Likelihood of occurrence
- Potential impact of an exploit
- Existing controls and their effectiveness
- Cost to address
A structured approach like assigning ratings (e.g. high, medium, low) across these dimensions can help to systematically compare risks. Ultimately, the organization's priorities and risk tolerance also influence which risks should be addressed first. Regular re-evaluation is important as the environment changes over time. Addressing the highest priority risks based on a well-defined analysis process helps to strengthen security in a cost-effective manner.
Regulatory compliance mandates have historically focused on IT & endpoint security as the primary means to protect data. However, as our digital economy has increasingly become software dependent, standards bodies have dutifully added requirements as they relate to development and deployment practices. Enterprise applications and cloud-based services constantly store and transmit data; yet, they are often difficult to understand and assess for compliance.
This webcast will present a practical approach towards mapping application security practices to common compliance frameworks. It will discuss how to define and enact a secure, repeatable software development lifecycle (SDLC) and highlight activities that can be leveraged across multiple compliance controls. Topics include:
* Consolidating security and compliance controls
* Creating application security standards for development and operations teams
* Identifying and remediating gaps between current practices and industry accepted "best practices”
STRIDE: Digging Vulnerability by Threat ModellingMohammad Febri
The slide provides an overview of the STRIDE threat modeling approach, which was introduced by Microsoft in 1999 for identifying threats to their products. It mentions the different types of threats covered by STRIDE, including Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege
The slide emphasizes the need to consider trust boundaries and includes a diagram illustrating various external entities, processes, data stores, and data flows.
This presentation discusses the importance of threat Modeling. This presentation also discusses about different ways to perform threat modeling. This threat modeling should be done during the design phase of the application development. The main aim of the threat modeling is to identify the import assets or functionalities of the application and to protect them. Threat Modeling cuts down the cost of application development as it identifies the issues during the design phase. In this presentation we also discuss about basics of Mobile Threat Modeling. This presentation mainly concentrates on STRIDE and DREAD.
An overview of current cyber security concerns and ways to combat them, as well as an introduction to some of the capabilities of Azure Active Directory
Kebocoran Data_ Tindakan Hacker atau Kriminal_ Bagaimana kita mengantisipasi...Equnix Business Solutions
Equnix Business Solutions (Equnix) is an IT Solution provider in Indonesia, providing comprehensive solution services especially on the infrastructure side for corporate business needs based on research and Open Source. Equnix has 3 (three) main services known as the Trilogy of Services: Support (Maintenance/Managed), World class level of Software Development, and Expert Consulting and Assessment for High Performance Transactions System. Equnix is customer oriented, not product or principal. Equal opportunity based on merit is our credo in managing HR development.
Talk on threats to database security. The title is, of course, deadly serious. Wile E. Coyote & other experts on correctness & security are enlisted to help make key points.
Ethical Hacking Concepts and Scopes, Threats and Attack Vectors, Information Assurance, Threat Modelling
Enterprise Information Security Architecture, Vulnerability
Assessment and Penetration Testing
Types of Social Engineering, Insider Attack, Preventing Insider
Threats, Social Engineering Targets and Defence Strategies
Regulatory compliance mandates have historically focused on IT & endpoint security as the primary means to protect data. However, as our digital economy has increasingly become software dependent, standards bodies have dutifully added requirements as they relate to development and deployment practices. Enterprise applications and cloud-based services constantly store and transmit data; yet, they are often difficult to understand and assess for compliance.
This webcast will present a practical approach towards mapping application security practices to common compliance frameworks. It will discuss how to define and enact a secure, repeatable software development lifecycle (SDLC) and highlight activities that can be leveraged across multiple compliance controls. Topics include:
* Consolidating security and compliance controls
* Creating application security standards for development and operations teams
* Identifying and remediating gaps between current practices and industry accepted "best practices”
STRIDE: Digging Vulnerability by Threat ModellingMohammad Febri
The slide provides an overview of the STRIDE threat modeling approach, which was introduced by Microsoft in 1999 for identifying threats to their products. It mentions the different types of threats covered by STRIDE, including Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege
The slide emphasizes the need to consider trust boundaries and includes a diagram illustrating various external entities, processes, data stores, and data flows.
This presentation discusses the importance of threat Modeling. This presentation also discusses about different ways to perform threat modeling. This threat modeling should be done during the design phase of the application development. The main aim of the threat modeling is to identify the import assets or functionalities of the application and to protect them. Threat Modeling cuts down the cost of application development as it identifies the issues during the design phase. In this presentation we also discuss about basics of Mobile Threat Modeling. This presentation mainly concentrates on STRIDE and DREAD.
An overview of current cyber security concerns and ways to combat them, as well as an introduction to some of the capabilities of Azure Active Directory
Kebocoran Data_ Tindakan Hacker atau Kriminal_ Bagaimana kita mengantisipasi...Equnix Business Solutions
Equnix Business Solutions (Equnix) is an IT Solution provider in Indonesia, providing comprehensive solution services especially on the infrastructure side for corporate business needs based on research and Open Source. Equnix has 3 (three) main services known as the Trilogy of Services: Support (Maintenance/Managed), World class level of Software Development, and Expert Consulting and Assessment for High Performance Transactions System. Equnix is customer oriented, not product or principal. Equal opportunity based on merit is our credo in managing HR development.
Talk on threats to database security. The title is, of course, deadly serious. Wile E. Coyote & other experts on correctness & security are enlisted to help make key points.
Ethical Hacking Concepts and Scopes, Threats and Attack Vectors, Information Assurance, Threat Modelling
Enterprise Information Security Architecture, Vulnerability
Assessment and Penetration Testing
Types of Social Engineering, Insider Attack, Preventing Insider
Threats, Social Engineering Targets and Defence Strategies
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
3. Definition: Security terms
1. Assets:
• Holds value
• Produces value
• Provides access to value
2. Vulnerable:Weakness in an asset that makes it susceptible to attack or failure
attack or failure
3. Threats: Reduce value of an asset
• Intentional: Attacks => DDOS, Injection, RCE
• Non-intentional: Errors or bugs
4. • Confidentiality: Information is only available
to those who have access.
• Integrity: Data is known to be correct and
trusted.
• Availability: Information is available to
legitimate users when it is needed.
Security Goals
5. Security Principles
• Complete mediation: all accesses to objects be
checked to ensure they are
allowed(Authorization)
• Open design : Security through security. For
example, hiding house keys underneath the
rock is not secure.
• Least CM: Make the component common for
which security is major concern so that if
required can be maintained quickly.
• Least CM: Make security easier, approachable.
If it’s difficult, users tries to find alternatives.
• Work factor: Effort required in breaking security
should be higher than the asset trying to get.
• Compromise recording: Record everything logs,
7. OWASP Top 10: Injection
Types:
• Queries
• OS commands
• HTTP Redirects
How does it happen?
• Trust of user input
• No sanitization of data
• No separation of untrusted data
Potential Impact
• Steal data from database
• Access PII/PHI/PCI data
• Remove data for DB
Definition: Allowing attackers to manipulate the inputs due to inadequate
validation and sanitization,
8. foo’ OR ‘A’=‘A’#
1: SQL Injection example
Username:
Password:
Login
SQL Statement: (“SELECT first, last, admin DROM users WHERE
uname=‘$uname’ AND pword=‘$pword’ AND state=1”)
Do I need a password?
9. 1: SQL Injection prevention
• Parameterized Queries/Prepared statements
• Parameter sanitization (white lists) in conjunction with
parameterized queries
• Using accounts with least privileged possible
preparedStatement stmt = connection.preparedStatement(
“SELECT * FROM users WHERE userid = ? And password=?”
);
stmt.setString(1, userid);
stmt.setString(test, password);
ResultSet rs= stmt.executeQuery();
10. 2: Broken authentication
Application functions related to authentication and session
management are often not implemented correctly, allowing attackers
to compromise passwords, keys, or session tokens, or to exploit other
implementation flaws to assume other users’ identities. – OWASP
11. 2: Broken authentication
How can authentication be broken?
• Missing authentication
• Shared/bookmarkedURL
• Poor credential strength
• Well known credentials
• Poor credential handling/management/storage
• Username/password as query param or stored in plain text
• Poor account recovery practices
• Secret questions with answers that can be easily socially engineered
• Unlimited attempts & attacks
• Dictionary attacks, Brute force attack, Phishing
12. 2: Broken authentication prevention
How can broken authentication be prevented?
• Don’t build your authentication mechanism on your own.
• Encryption at rest and SSL transit.
• Implement captcha,API rate limits for DDOS and brute-force attacks.
• Rotate you keys is used in sessions or cookies
• Implement MFAs
13. 3: Sensitive data exposure
Breach in confidentiality. Breach of data which should’ve been, otherwise protected.
• PHI (Protected Health Information)
Names, Dates, SSN, Biometric
• PII (Personally Identifiable Information)
Name, Address, Vehicle information, Drivers license, DOB
• Sensitive Financial Information
Credit/Debit card numbers, Account numbers, loans agreements
14. 3: Sensitive data exposure
Causes
• Sensitive data logs in files
• Plain data storage in database
• Memory leaks in the code itself
• Insecure object access
Preventions
• Data masking & Anonymization
• Encryption and Hashing
• Access controls
• Protecting data in motion(PGP & SSL)
• Protecting data at rest
15. 5: Broken access control
Broken access control means the broken authorization.
• Authentication: Validates the identity. Who are you?
• Authorization: Validates the access for an identity? What can you access?
• Access control enforces policy such that users cannot act outside of their intended
permissions.
• Failures typically lead to unauthorized information disclosure, modification or destruction
of all data, elevated access.
Causes: Lack of functional testing, CORS mis-configuration.
Impact: Provides the elevated access as admin and can modify the records.
Prevention:
Fail safe defaults, Proper CORS configuration, disable web server directory listing, Rate limit
API, Invalidate JWT after use.
16. Session management
Http is stateless protocol.
A web session is a sequence of network HTTP request and response transactions associated
to the same user. Basically, done through cookies.
18. Session management
Poor session management
• Guessable session IDs
• Not destroying when the session is over
• Reusing the sessions
• Exposing the sessions
Session management best practices
• Automatically end/expire session after
inactivity
• Don’t allow long lived sessions
• Generate non-guessable session IDs
• Don’t re-use session IDs
Cookies setting:
• Mark session cookie as Secure (prevents
sniffing)
• Mark session cookie as HttpOnly (prevent
XSS)
• Avoid setting values for Max-Age and
expires.
19. JSON Web Token(JWT)
JWT is an open standard that defines a compact and self-contained way for securely
transmitting information between parties as a JOSN object.
Use Cases:
1) Authorization: This is the most common scenario for using JWT. Once the user is logged
in, each subsequent request will include the JWT, allowing the user to access routes,
services and resources that are permitted with that token.
2) Information Exchange: Good way of securely transmitting information between parties.
Signed tokens: Confirm the senders are who they say they are
Hashed: Verified that the content hasn’t been tampered with.
21. OAuth & OpenID
OAuth:
Open standard for access delegation, commonly used as a way for internet users to grant
websites or applications access to their information on the other websites but without
giving them the passwords.
OpenID:
OpenID allows us to use an existing account to sign into multiple websites, without needing
to create new passwords.
Example: Google SSO.
24. Risk rating & Threat modeling
Risk Rating
Process of assessing the risks involved in the daily activities of a business and classifying
them (low, medium, high risk) on the basis of the impact on the business.
Risk = Likelihood * Impact
25. Steps in Risk rating
Identify the Risk
Factors for Estimating likelihood
Factors for Estimating Impact
Determine severity of the Risk
Deciding what to fix
27. Impacts: Risk rating
Impacts
Technical Impacts Business Impacts
• Loss of
confidentiality
• Loss of integrity
• Loss of availability
• Loss of
accountability
• Financial damage
• Reputation damage
• Non-compliance
• Privacy violation
30. Threat modeling
Definition
Threat modeling is an investigative technique for identifying an application security
risks/hazards that are technical.
Threats:
Everything from hackers and malware, natural disasters and so on.
31. Types: Threat modeling(STRIDE)
1. Spoofing: One person masquerades as another.
Eg: using others username and password.
Prevention: MFA
2. Tampering: Alteration of data in transit.
Prevention: using hashing, signature, checksum for verification
3. Repudiation: Denying the source of truth
Prevention: Encryption and digital signature
4. Information disclosure: CIA
Prevention: Encryption at rest and TLS at transit
5. Denial of service: Make service temporarily unavailable.
Prevention: Make available, rate limits
6. Elevation and privileges: Access with high roles, gain elevated access
Prevention: Authorization
32. You shouldn’t & Benefits: Threat modeling
You shouldn’t assume you have a secure environment.
You shouldn’t assume that compute, network, or storage resources are reliable.
You shouldn’t assume your environment is correctly configured.
You shouldn’t consider your gut feelings.
Benefits
• Better understanding of the architecture
• Create reusable architecture models
• Inputs to other components like risk mangement, code reviews, penetration testing.
Tools: Wiki, PPT,Visio,TM tool
When we are protecting CIA, we are also protecting availability.
Work factor: For a system of 500$ will not buy tools of worth 1500$.
Not allow user to run queries directly in the host
Enabling securing allows cookies only to be access through https.
Enabling HttpOnly allows cookie to be accessed via http request but not the script.
Don’t set max age and expires so that browser removes the cookie when the browser is closed otherwise cookie is assumed to be persistent.
Hazards are potential harms whereas risks are hazards in harmful state.
Hazards are potential harms whereas risks are hazards in harmful state.
Hazards are potential harms whereas risks are hazards in harmful state.
Hazards are potential harms whereas risks are hazards in harmful state.
Stair kills 1000 people/year whereas bear kills just a single person/year.