In this whitepaper, presented at Black Hat Asia 2015 Briefing session, we highlight how even if the Security Content Automation Protocol (SCAP) federates a number of open standards that are used to enumerate software
flaws and configuration issues related to security, there is a need for having a unique common metadata schema to represent important aspects relevant for designing efficient search engines
Classification of software security vulnerability no doubt facilitates the understanding of security-related information and accelerates vulnerability analysis. The lack of proper classification not only hinders its understanding but also renders the strategy of developing mitigation mechanism for clustered vulnerabilities. Now software developers and researchers are agreed on the fact that requirement and design phase of the software are the phases where security incorporation yields maximum benefits. In this paper we have attempted to design a classifier that can identify and classify design level vulnerabilities. In this classifier, first vulnerability classes are identified on the basis of well established security properties like authentication and authorization. Vulnerability training data is collected from various authentic sources like Common Weakness Enumeration (CWE), Common Vulnerabilities and Exposures (CVE) etc. From these databases only those vulnerabilities were included whose mitigation is possible at the design phase. Then this vulnerability data is pre-processed using various processes like text stemming, stop word removal, cases transformation. After pre-processing, SVM (Support Vector Machine) is used to classify vulnerabilities. Bootstrap validation is used to test and validate the classification process performed by the classifier. After training the classifier, a case study is conducted on NVD (National Vulnerability Database) design level vulnerabilities. Vulnerability analysis is done on the basis of classification result.
Security patterns and model driven architecturebdemchak
This document provides an overview of security patterns and model driven architecture. It summarizes three papers on using security patterns to model security requirements. The document discusses how security patterns can be used to address the common problem of irregular and haphazard application of security measures leading to insecure systems. It describes Cheng's approach of revising the security pattern template to allow formal verification of requirements. Rosado's approach is also summarized, which presents a standardized security pattern template and evaluates several common security patterns. The document provides context on how security patterns can help capture expertise to facilitate secure systems design.
Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-d...CHOOSE
This document discusses compliance in service-oriented architectures. It proposes a model-driven and view-based approach to address current issues with ensuring compliance. The approach uses domain-specific languages and architectural views to separately model compliance concerns. Models are validated and used to generate implementations. Runtime monitoring enforces compliance. The approach aims to better maintain, evolve, understand and guarantee systems comply with regulations.
International Journal of Engineering and Science Invention (IJESI) is an international journal intended for professionals and researchers in all fields of computer science and electronics. IJESI publishes research articles and reviews within the whole field Engineering Science and Technology, new teaching methods, assessment, validation and the impact of new technologies and it will continue to provide information on the latest trends and developments in this ever-expanding subject. The publications of papers are selected through double peer reviewed to ensure originality, relevance, and readability. The articles published in our journal can be accessed online.
TESEM: A Tool for Verifying Security Design Pattern ApplicationsHironori Washizaki
Because software developers are not necessarily security experts, identifying potential threats and vulnerabilities in the early stage of the development process is often insufficient. Even if these issues are addressed at an early stage, it does not guarantee that the final software product actually satisfies security requirements. To realize secure design and implementation, we propose extended security patterns, which include requirement- and design-level patterns as well as a new model testing and model-based code testing process. Our approach is implemented in a tool called TESEM, Test Driven Secure Modeling Tool, which supports pattern applications by creating a script to execute model testing automatically (ARES'13, IJSSE'14, ICST'15). Moreover we recently extended the tool to support testing of security design patterns implementation by preparing testcase templates (ARES'14). By using the tool, developers can specify threats and vulnerabilities in the target design and implementation according to security design patterns, verify whether the security patterns are properly applied, and assesses whether these vulnerabilities are resolved.
J018127176.publishing paper of mamatha (1)IOSR Journals
This document discusses classifying patterns under attacks and evaluating pattern security. It proposes a framework for assessing pattern security and modeling adversaries to characterize attack situations. The framework aims to provide a more comprehensive understanding of how classifiers behave under adversarial conditions. This can help lead to better design decisions that improve classifier security against considered attacks. Three applications are discussed - spam filtering, intrusion detection, and biometric verification - where pattern classifiers may be vulnerable if adversarial scenarios are not accounted for during design and evaluation.
The document describes a network worm vaccine architecture that aims to automatically patch vulnerable software in response to worm infections. The key components are sensors to detect infection attempts, an analysis engine to identify vulnerabilities and generate patches, and a sandboxed environment to test patches. Patches are generated using techniques like buffer relocation, code randomization, or removing unused functionality. The goal is to quickly react to attacks without human intervention through automated vulnerability identification and "good enough" patch generation until comprehensive security updates can be deployed. The approach seeks to counter known attack classes like buffer overflows and could be deployed across multiple cooperating organizations.
Aricent’s Highly Automated Vulnerability Assessment
Orchestration Containers (HAVOC) framework automates
security testing—enabling clients to harden products/ecosystems, and reduce risk of zero-day vulnerabilities. HAVOC provides extensive tool coverage, accelerates security analysts’ processes, and is highly scalable. Organizations leveraging HAVOC no longer require large, highly skilled, and expensive-to-maintain workforces to design for security, and ensure a high degree of consumer trust.
Classification of software security vulnerability no doubt facilitates the understanding of security-related information and accelerates vulnerability analysis. The lack of proper classification not only hinders its understanding but also renders the strategy of developing mitigation mechanism for clustered vulnerabilities. Now software developers and researchers are agreed on the fact that requirement and design phase of the software are the phases where security incorporation yields maximum benefits. In this paper we have attempted to design a classifier that can identify and classify design level vulnerabilities. In this classifier, first vulnerability classes are identified on the basis of well established security properties like authentication and authorization. Vulnerability training data is collected from various authentic sources like Common Weakness Enumeration (CWE), Common Vulnerabilities and Exposures (CVE) etc. From these databases only those vulnerabilities were included whose mitigation is possible at the design phase. Then this vulnerability data is pre-processed using various processes like text stemming, stop word removal, cases transformation. After pre-processing, SVM (Support Vector Machine) is used to classify vulnerabilities. Bootstrap validation is used to test and validate the classification process performed by the classifier. After training the classifier, a case study is conducted on NVD (National Vulnerability Database) design level vulnerabilities. Vulnerability analysis is done on the basis of classification result.
Security patterns and model driven architecturebdemchak
This document provides an overview of security patterns and model driven architecture. It summarizes three papers on using security patterns to model security requirements. The document discusses how security patterns can be used to address the common problem of irregular and haphazard application of security measures leading to insecure systems. It describes Cheng's approach of revising the security pattern template to allow formal verification of requirements. Rosado's approach is also summarized, which presents a standardized security pattern template and evaluates several common security patterns. The document provides context on how security patterns can help capture expertise to facilitate secure systems design.
Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-d...CHOOSE
This document discusses compliance in service-oriented architectures. It proposes a model-driven and view-based approach to address current issues with ensuring compliance. The approach uses domain-specific languages and architectural views to separately model compliance concerns. Models are validated and used to generate implementations. Runtime monitoring enforces compliance. The approach aims to better maintain, evolve, understand and guarantee systems comply with regulations.
International Journal of Engineering and Science Invention (IJESI) is an international journal intended for professionals and researchers in all fields of computer science and electronics. IJESI publishes research articles and reviews within the whole field Engineering Science and Technology, new teaching methods, assessment, validation and the impact of new technologies and it will continue to provide information on the latest trends and developments in this ever-expanding subject. The publications of papers are selected through double peer reviewed to ensure originality, relevance, and readability. The articles published in our journal can be accessed online.
TESEM: A Tool for Verifying Security Design Pattern ApplicationsHironori Washizaki
Because software developers are not necessarily security experts, identifying potential threats and vulnerabilities in the early stage of the development process is often insufficient. Even if these issues are addressed at an early stage, it does not guarantee that the final software product actually satisfies security requirements. To realize secure design and implementation, we propose extended security patterns, which include requirement- and design-level patterns as well as a new model testing and model-based code testing process. Our approach is implemented in a tool called TESEM, Test Driven Secure Modeling Tool, which supports pattern applications by creating a script to execute model testing automatically (ARES'13, IJSSE'14, ICST'15). Moreover we recently extended the tool to support testing of security design patterns implementation by preparing testcase templates (ARES'14). By using the tool, developers can specify threats and vulnerabilities in the target design and implementation according to security design patterns, verify whether the security patterns are properly applied, and assesses whether these vulnerabilities are resolved.
J018127176.publishing paper of mamatha (1)IOSR Journals
This document discusses classifying patterns under attacks and evaluating pattern security. It proposes a framework for assessing pattern security and modeling adversaries to characterize attack situations. The framework aims to provide a more comprehensive understanding of how classifiers behave under adversarial conditions. This can help lead to better design decisions that improve classifier security against considered attacks. Three applications are discussed - spam filtering, intrusion detection, and biometric verification - where pattern classifiers may be vulnerable if adversarial scenarios are not accounted for during design and evaluation.
The document describes a network worm vaccine architecture that aims to automatically patch vulnerable software in response to worm infections. The key components are sensors to detect infection attempts, an analysis engine to identify vulnerabilities and generate patches, and a sandboxed environment to test patches. Patches are generated using techniques like buffer relocation, code randomization, or removing unused functionality. The goal is to quickly react to attacks without human intervention through automated vulnerability identification and "good enough" patch generation until comprehensive security updates can be deployed. The approach seeks to counter known attack classes like buffer overflows and could be deployed across multiple cooperating organizations.
Aricent’s Highly Automated Vulnerability Assessment
Orchestration Containers (HAVOC) framework automates
security testing—enabling clients to harden products/ecosystems, and reduce risk of zero-day vulnerabilities. HAVOC provides extensive tool coverage, accelerates security analysts’ processes, and is highly scalable. Organizations leveraging HAVOC no longer require large, highly skilled, and expensive-to-maintain workforces to design for security, and ensure a high degree of consumer trust.
The document provides an overview of the Security Content Automation Protocol (SCAP), which is a set of standards for automating security compliance and vulnerability management. SCAP includes six specifications for representing system state, vulnerabilities, and security configurations. It allows organizations to standardize how they express security information and ensure interoperability of security tools. The specifications include languages like OVAL and XCCDF, enumerations like CVE and CCE, and scoring systems like CVSS. SCAP content combines elements from the specifications to assess security configuration compliance.
Whether you are building an e-commerce site or a business application, security is a key consideration when architecting your website or application. In this session, you will learn more about some of the things CloudFront does behind the scenes to protect the delivery of your content such as OCSP Stapling and Perfect Forward Secrecy. We will also share best practices on how you can use CloudFront to securely deliver content end-to-end, control who accesses your content, how to shield your origins from the Internet, and getting a A+ on SSL labs.
The document discusses various processes involved in cutting room operations for sewing including bundle ticket design, off loading, bundling, cutting instruction issue, and fabric control charts. It describes the purpose and components of bundle tickets and cutting instructions. It also outlines best practices for off loading, bundling, and cutting room layout and organization.
Un plano es una representación gráfica de objetos que proporciona información suficiente para analizar, elaborar, construir y dar mantenimiento. Los planos se diseñan en papel primero para planificar el proyecto antes de construirlo con materiales.
This document summarizes Sharyn Gol JSC's plans to expand its coal mining operations in Mongolia and become a leading Mongolian coal producer. It has over 374 million tons of JORC-compliant coal resources across two mining areas. It is currently producing 0.5 million tons per annum but plans to expand to 1-2.5 million tons through low-cost optimizations and a new open pit mine. The company aims to access growing domestic, Chinese, and seaborne markets by rail. Financial initiatives including partnerships and a secondary listing could help fund the expansion.
Este documento resume los recursos renovables y no renovables de Colombia. Habla sobre los desafíos de la reforestación en el país debido a los largos períodos de inversión y exposición a factores climáticos. También describe plantaciones de árboles en el Bajo Magdalena y sus beneficios. Con respecto a los recursos no renovables, señala que las reservas de carbón y petróleo de Colombia son insignificantes a nivel mundial y que se necesitan nuevos descubrimientos para evitar la necesidad de importar petróleo para el 2020
Este documento presenta una introducción al desarrollo de aplicaciones web. Explica las diferencias entre sitios web, páginas web y aplicaciones web, y entre aplicaciones web y nativas. También describe las ventajas de ser desarrollador web y los lenguajes clave para el desarrollo web front-end como HTML, CSS y JavaScript. Finalmente, presenta una arquitectura básica recomendada para aplicaciones web.
The document discusses ideas for locations and backgrounds to use when photographing images for a music magazine focused on R&B music. It considers using plain colored backgrounds like black, white and grey inspired by other R&B magazines. Potential background options include graffiti or plain brick walls, which could relate well to the clothing of the model and genre. Natural, dark colors are identified as representing R&B magazines effectively for the front cover, contents page and double page spreads.
Pragati Consulting is a private immigration service provider offering immigration assistance and advice. We render due guidance in processing applications for visas to countries worldwide. Our services include provision of entry visas, assistance in international relocation, enrolment at education institutions for higher education and counseling on job opportunities.
1) John Pearson, Vice President of Investor Relations for Centerra Gold Inc., presented at the 5th Annual Mines and Money Conference in Hong Kong in March 2012.
2) Centerra reported gold production of 642,380 ounces in 2011 and expects production of 635,000 to 685,000 ounces in 2012 at cash costs of $465 to $500 per ounce.
3) Centerra has two growth platforms - the Kumtor mine in the Kyrgyz Republic and the Boroo mine in Mongolia, and exploration is also ongoing in Mongolia, Russia, and Turkey.
This document discusses how to automate OpenSCAP compliance scanning with Foreman. It introduces OpenSCAP and how it integrates with Foreman using the foreman_openscap, smart_proxy_openscap, and foreman_scap_client plugins. The installation process and workflow are described, where Foreman is used to define profiles and assign them to hosts, Puppet configures clients, scans are run and reports uploaded to the Smart Proxy and Foreman for evaluation.
This presentation provides an overview of Erdenes Tavan Tolgoi JSC, a Mongolian coal producer and developer that holds mining licenses over the Tavan Tolgoi coalfield. It summarizes the company's current operations focused on the Tsankhi coalfield, plans to expand production at East Tsankhi to 20Mtpa by 2017, and negotiations to develop the West Tsankhi coalfield through a consortium. The document also outlines Tavan Tolgoi's world-class coking coal reserves, premium quality products, and infrastructure development plans.
BAC STMG 2015 - Oral épreuve pratique de spécialité du bac STMG Marketing/ Ge...Super Professeur
BAC STMG 2015
Fiche méthodologique pour bien préparer et réussir l' oral pendant l'épreuve pratique de spécialité du bac STMG Marketing/ Gestion & Finance/ Ressources Humaines et Communication/ Systèmes d'Information de Gestion.
Présentation PowerPoint du projet sur www.SuperProfesseur.com by le Professeur d'Economie & Gestion Ronald TINTIN.
Este documento resume los antecedentes históricos que llevaron al descubrimiento de la fotografía, incluyendo el conocimiento y uso de la cámara oscura desde la antigüedad, experimentos sobre la sensibilidad a la luz de las sales de plata en el siglo 18, y avances como la invención del fijador que permitió fijar imágenes sensibles a la luz. El documento explica cómo la combinación de conocimientos ópticos y químicos llevaron finalmente al descubrimiento de la fotografía a
Security Content Automation Protocol and Web Application SecurityMichael Smith
The document introduces the Security Content Automation Protocol (SCAP) which comprises a suite of specifications for organizing and expressing security-related information in standardized ways. SCAP can be used to automatically verify the installation of patches, check system security configuration settings, and examine systems for signs of compromise. It then describes some of the key components of SCAP including XCCDF for security checklists, OVAL for auditing, CCE for configuration guides, CPE for environment descriptions, CVE for vulnerability disclosures, and CVSS for vulnerability impact scoring. The document encourages using SCAP to automate security tasks wherever possible and contributing new SCAP content.
The document discusses approaches to building secure web applications, including establishing software security processes and maturity levels. It covers security activities like threat modeling, defining security requirements, secure coding standards, security testing, and metrics. Business cases for software security focus on reducing costs of vulnerabilities, threats to web apps, and root causes being application vulnerabilities and design flaws.
The document discusses various threat modeling processes and tools that can be used to secure an e-learning environment. It describes the basics of threat modeling including gathering information about the system, decomposing applications into components, identifying risks through use cases and attack trees. Several threat modeling approaches are outlined such as Microsoft's threat modeling process, STRIDE classification scheme, DREAD, and OCTAVE. The advantages of using threat modeling to understand vulnerabilities and develop mitigation strategies are also highlighted.
For an organization to function efficiently it is important to have security controls to ensure the protection of confidentiality, integrity and availability of information and systems. Compliance is the process of ensuring all systems in an organization met a set of predefined specific rules.
In this article we will address the need for compliance automation and how SecPod’s Saner provides enterprises the ability to automate compliance while minimizing time spent on non-compliant state.
The document provides an overview of the Security Content Automation Protocol (SCAP), which is a set of standards for automating security compliance and vulnerability management. SCAP includes six specifications for representing system state, vulnerabilities, and security configurations. It allows organizations to standardize how they express security information and ensure interoperability of security tools. The specifications include languages like OVAL and XCCDF, enumerations like CVE and CCE, and scoring systems like CVSS. SCAP content combines elements from the specifications to assess security configuration compliance.
Whether you are building an e-commerce site or a business application, security is a key consideration when architecting your website or application. In this session, you will learn more about some of the things CloudFront does behind the scenes to protect the delivery of your content such as OCSP Stapling and Perfect Forward Secrecy. We will also share best practices on how you can use CloudFront to securely deliver content end-to-end, control who accesses your content, how to shield your origins from the Internet, and getting a A+ on SSL labs.
The document discusses various processes involved in cutting room operations for sewing including bundle ticket design, off loading, bundling, cutting instruction issue, and fabric control charts. It describes the purpose and components of bundle tickets and cutting instructions. It also outlines best practices for off loading, bundling, and cutting room layout and organization.
Un plano es una representación gráfica de objetos que proporciona información suficiente para analizar, elaborar, construir y dar mantenimiento. Los planos se diseñan en papel primero para planificar el proyecto antes de construirlo con materiales.
This document summarizes Sharyn Gol JSC's plans to expand its coal mining operations in Mongolia and become a leading Mongolian coal producer. It has over 374 million tons of JORC-compliant coal resources across two mining areas. It is currently producing 0.5 million tons per annum but plans to expand to 1-2.5 million tons through low-cost optimizations and a new open pit mine. The company aims to access growing domestic, Chinese, and seaborne markets by rail. Financial initiatives including partnerships and a secondary listing could help fund the expansion.
Este documento resume los recursos renovables y no renovables de Colombia. Habla sobre los desafíos de la reforestación en el país debido a los largos períodos de inversión y exposición a factores climáticos. También describe plantaciones de árboles en el Bajo Magdalena y sus beneficios. Con respecto a los recursos no renovables, señala que las reservas de carbón y petróleo de Colombia son insignificantes a nivel mundial y que se necesitan nuevos descubrimientos para evitar la necesidad de importar petróleo para el 2020
Este documento presenta una introducción al desarrollo de aplicaciones web. Explica las diferencias entre sitios web, páginas web y aplicaciones web, y entre aplicaciones web y nativas. También describe las ventajas de ser desarrollador web y los lenguajes clave para el desarrollo web front-end como HTML, CSS y JavaScript. Finalmente, presenta una arquitectura básica recomendada para aplicaciones web.
The document discusses ideas for locations and backgrounds to use when photographing images for a music magazine focused on R&B music. It considers using plain colored backgrounds like black, white and grey inspired by other R&B magazines. Potential background options include graffiti or plain brick walls, which could relate well to the clothing of the model and genre. Natural, dark colors are identified as representing R&B magazines effectively for the front cover, contents page and double page spreads.
Pragati Consulting is a private immigration service provider offering immigration assistance and advice. We render due guidance in processing applications for visas to countries worldwide. Our services include provision of entry visas, assistance in international relocation, enrolment at education institutions for higher education and counseling on job opportunities.
1) John Pearson, Vice President of Investor Relations for Centerra Gold Inc., presented at the 5th Annual Mines and Money Conference in Hong Kong in March 2012.
2) Centerra reported gold production of 642,380 ounces in 2011 and expects production of 635,000 to 685,000 ounces in 2012 at cash costs of $465 to $500 per ounce.
3) Centerra has two growth platforms - the Kumtor mine in the Kyrgyz Republic and the Boroo mine in Mongolia, and exploration is also ongoing in Mongolia, Russia, and Turkey.
This document discusses how to automate OpenSCAP compliance scanning with Foreman. It introduces OpenSCAP and how it integrates with Foreman using the foreman_openscap, smart_proxy_openscap, and foreman_scap_client plugins. The installation process and workflow are described, where Foreman is used to define profiles and assign them to hosts, Puppet configures clients, scans are run and reports uploaded to the Smart Proxy and Foreman for evaluation.
This presentation provides an overview of Erdenes Tavan Tolgoi JSC, a Mongolian coal producer and developer that holds mining licenses over the Tavan Tolgoi coalfield. It summarizes the company's current operations focused on the Tsankhi coalfield, plans to expand production at East Tsankhi to 20Mtpa by 2017, and negotiations to develop the West Tsankhi coalfield through a consortium. The document also outlines Tavan Tolgoi's world-class coking coal reserves, premium quality products, and infrastructure development plans.
BAC STMG 2015 - Oral épreuve pratique de spécialité du bac STMG Marketing/ Ge...Super Professeur
BAC STMG 2015
Fiche méthodologique pour bien préparer et réussir l' oral pendant l'épreuve pratique de spécialité du bac STMG Marketing/ Gestion & Finance/ Ressources Humaines et Communication/ Systèmes d'Information de Gestion.
Présentation PowerPoint du projet sur www.SuperProfesseur.com by le Professeur d'Economie & Gestion Ronald TINTIN.
Este documento resume los antecedentes históricos que llevaron al descubrimiento de la fotografía, incluyendo el conocimiento y uso de la cámara oscura desde la antigüedad, experimentos sobre la sensibilidad a la luz de las sales de plata en el siglo 18, y avances como la invención del fijador que permitió fijar imágenes sensibles a la luz. El documento explica cómo la combinación de conocimientos ópticos y químicos llevaron finalmente al descubrimiento de la fotografía a
Security Content Automation Protocol and Web Application SecurityMichael Smith
The document introduces the Security Content Automation Protocol (SCAP) which comprises a suite of specifications for organizing and expressing security-related information in standardized ways. SCAP can be used to automatically verify the installation of patches, check system security configuration settings, and examine systems for signs of compromise. It then describes some of the key components of SCAP including XCCDF for security checklists, OVAL for auditing, CCE for configuration guides, CPE for environment descriptions, CVE for vulnerability disclosures, and CVSS for vulnerability impact scoring. The document encourages using SCAP to automate security tasks wherever possible and contributing new SCAP content.
The document discusses approaches to building secure web applications, including establishing software security processes and maturity levels. It covers security activities like threat modeling, defining security requirements, secure coding standards, security testing, and metrics. Business cases for software security focus on reducing costs of vulnerabilities, threats to web apps, and root causes being application vulnerabilities and design flaws.
The document discusses various threat modeling processes and tools that can be used to secure an e-learning environment. It describes the basics of threat modeling including gathering information about the system, decomposing applications into components, identifying risks through use cases and attack trees. Several threat modeling approaches are outlined such as Microsoft's threat modeling process, STRIDE classification scheme, DREAD, and OCTAVE. The advantages of using threat modeling to understand vulnerabilities and develop mitigation strategies are also highlighted.
For an organization to function efficiently it is important to have security controls to ensure the protection of confidentiality, integrity and availability of information and systems. Compliance is the process of ensuring all systems in an organization met a set of predefined specific rules.
In this article we will address the need for compliance automation and how SecPod’s Saner provides enterprises the ability to automate compliance while minimizing time spent on non-compliant state.
A Platform for Application Risk IntelligenceCheckmarx
Using Source Code Understanding as a Risk Barometer:
Source Code Analysis technologies have significantly evolved in recent years – making improvements in precision and accuracy with the introduction of new analysis techniques like flow analysis. This article describes this evolution and how the most advanced capabilities available today like query-based analysis and Knowledge Discovery can be leveraged to create a platform for Application Risk Intelligence (ARI) to help implement a proactive security program.
The document discusses validating all inputs to prevent cross-site scripting (XSS) attacks. It introduces the OWASP HTML Sanitizer Project, which is a Java library that sanitizes HTML to allow untrusted user input to be safely embedded in web pages. The sanitizer removes malicious code while keeping desired markup, through a policy-based approach. Sample usages demonstrated validate specific elements like images and links. The project aims to protect against XSS while allowing third-party content through a tested, securely-designed library.
The OWASP Top Ten Proactive Controls v2 introduces new proactive controls to the Top Ten list. It includes more practical examples and contributions from the OWASP community and non-OWASP community. It also includes some best practices to consider when building mobile apps, such as secure storage, authentication, etc. The document then lists 10 proactive controls, including verifying for security early and often, parameterizing queries, encoding data, validating all inputs, implementing identity and authentication controls, implementing appropriate access controls, protecting data, implementing logging and intrusion detection, leveraging security frameworks and libraries, and handling errors and exceptions.
The OWASP Top Ten Proactive Controls v2 introduces new proactive controls to the Top Ten list, provides more practical examples and case studies, and has contributions from a large number of non-OWASP community members, while also including some best practices for building secure mobile applications. It outlines 10 proactive controls for application security including verifying for security early and often, parameterizing queries, encoding data before use in a parser, validating all inputs, implementing identity and authentication controls, implementing appropriate access controls, protecting data, implementing logging and intrusion detection, leveraging security frameworks and libraries, and handling errors and exceptions.
The document discusses secure software development lifecycles and application security. It notes that security is often not considered during traditional SDLC processes. It advocates doing threat modeling and source code analysis to integrate security. It also discusses differences between blackbox and whitebox testing approaches, and analyzing applications at the source code level versus object code level.
The OWASP Top Ten Proactive Controls 2.0 document introduces new proactive controls to the Top Ten list and provides more practical examples and contributions from the community. It includes some best practices for building secure mobile apps. The document then describes 10 proactive controls addressing common vulnerabilities like injection, XSS, access control issues etc. It provides details on each control with examples and references.
A Verifiable SSA Program Representation For Aggressive Compiler OptimizationJoe Osborn
This document presents a new program representation called safety dependence that embeds safety information like type checks into optimized compiler-generated code. It uses proof variables to represent dependencies between unsafe operations and safety checks. The representation allows compilers to aggressively optimize code while preserving safety properties. It describes integrating this approach into an optimizing Java compiler called STARJIT. A type system is also presented that can verify memory safety for programs using this representation. The goal is to allow generating certified optimized code from safe languages like Java.
EISA Considerations for Web Application SecurityLarry Ball
This document proposes tools for detecting and preventing security vulnerabilities within an enterprise information system architecture for a given business process. It discusses profiling web platforms and authentication/authorization, as well as input injection attacks, XML web services vulnerabilities, and attacks on web application and client management. Specific attacks include those on the OWASP Top 10 list. The document advocates threat modeling during development to identify risks and recommends code reviews and security assessment tools for mitigation.
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
Abstract: SAST, DAST, and WAF have been around for almost 15 years — they’re almost impossible to use, can’t protect modern applications, and aren’t compatible with modern software development. Recent studies have demonstrated that these tools miss the majority of real vulnerabilities and attacks while generating staggering numbers of false positives. To compensate, these tools require huge teams of application security experts that can’t possibly keep up with the size of modern application portfolios. Fortunately, the next generation of application security technology uses dynamic software instrumentation to solve these challenges. Gartner calls these products “Interactive Application Security Testing (IAST)” and “Runtime Application Self-Protection (RASP).” In this talk, you’ll learn how IAST and RASP have revolutionized vulnerability assessment and attack prevention in a massively scalable way.
Bio: A pioneer in application security, Jeff Williams is the founder and CTO of Contrast Security, a revolutionary application security product. Contrast is an application agent that enables software to both report vulnerabilities and prevent attacks. Jeff has over 25 years of security experience, speaks frequently on cutting-edge application security, and has helped secure code at hundreds of major enterprises. Jeff served as the Global Chairman of the OWASP Foundation for eight years, where he created many open-source standards, tools, libraries, and guidelines - including the OWASP Top Ten.
This document provides a checklist of secure coding practices for software developers. It covers topics such as input validation, output encoding, authentication, session management, access control, cryptography, error handling, data protection, and general coding practices. Implementing the practices in this checklist can help mitigate common software vulnerabilities and security issues. The document recommends defining security roles and responsibilities, providing training, and following a secure software development lifecycle model.
The document discusses various topics related to deriving solutions for web applications, including object-oriented software engineering, modeling, measurement and estimation, design patterns, web applications, XML, software components, web services, and future trends. It covers modeling approaches like UML, metrics for estimation and quality evaluation, design patterns for common problems, standards for XML, components, and web services. It also discusses service-oriented architecture, SOAP, WSDL, UDDI, and packaging of reusable assets.
The document discusses applying hierarchical risk parity and unsupervised machine learning techniques to analyze risks associated with cryptocurrency. It aims to determine inherent risks based on likelihood of occurrence and potential financial impact. The proposed system uses machine learning algorithms like decision trees, naive bayes, SVM and logistic regression within a hierarchical risk parity framework to examine professional accounting of cryptocurrency risks. It seeks to identify negatively correlated intrinsic risks, rank exchange control risks by likelihood, and find highest likelihood risks.
The document outlines an approach to application security that involves establishing a software security roadmap. It discusses assessing maturity, defining a security-enhanced software development lifecycle (S-SDLC), and implementing security activities such as threat modeling, secure coding practices, security testing, and metrics. The goal is to manage software risks through a proactive and holistic approach rather than just reacting to vulnerabilities.
This document outlines an approach to application security that involves assessing maturity, defining a software security roadmap, and implementing security activities throughout the software development lifecycle (SDLC). It discusses security requirements, threat modeling, secure design guidelines, coding standards, security testing, configuration management, metrics, and making business cases to justify security investments. The goal is to manage software risks proactively by building security into each phase rather than applying it reactively through patches.
Reliability is concerned with decreasing faults and their impact. The earlier the faults are detected the better. That's why this presentation talks about automated techniques using machine learning to detect faults as early as possible.
Similar to Our talk in Black Hat Asia 2015 Briefing (20)
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondSecPod Technologies
It’s widely known that patch management is a major pain point for most businesses. IT teams struggle to keep systems patched and secure. Cyber-attacks are continuous and anti-virus protection alone isn’t effective.
Cyber hygiene best practices need to be followed to keep organizations secure and to prevent security breaches.
In this webinar, Chandrashekhar - SecPod’s Founder & CEO, Douglas Smith - BlueHat Cyber’s Senior Sales Director, and Greg Pottebaum - SecPod’s VP OEM & Strategic Alliances, demonstrate:
- How to efficiently reduce the cyber-attack surface of your business
- Simple strategies to improve your security management
- How Blue Hat Cyber uses SanerNow to automate patch management and secure their customer’s endpoints
Request a FREE Demo of SanerNow platform at:
www.secpod.com
About SecPod
SecPod is an endpoint security and management technology company. SecPod (Security Podium, incarnated as SecPod)
was founded in the year 2008. SecPod’s SanerNow platform and tools are used by MSPs and enterprises worldwide.
SecPod also licenses security technology to top security vendors through its SCAP Content Professional Feed.
Facebook: https://www.facebook.com/secpod/
LinkedIn: https://www.linkedin.com/company/secp...
Twitter: https://twitter.com/SecPod
Email us at info@secpod.com to get more details on how to secure your organisation from cyber attacks.
What are cyber attacks?
In simple terms, cyber attacks are attempts of disabling or stealing information from other computers, by gaining access to admin privileges to them.
Why should businesses be worried?
An average ransomware attack costs a company $5 million. Attackers target all types of businesses, small and large, healthcare, banking & finance, manufacturing, education, even government. The internet has made life a lot easier for business owners, at the same time it has made them easier to get hacked.
Human threats pose the greatest risk to organizations, costing over $100 billion annually worldwide through hacking and social engineering. Network security threats like malware, viruses, and phishing attacks are common, with over 45% requiring user interaction via email. Physical security is often overlooked despite threats from theft, sabotage, and terrorism. Software threats can attack through logic bombs, trojans, worms and viruses.
The document discusses vulnerabilities in IoT devices and provides examples of potential threats, including hacking a Jeep remotely and changing the target of a smart sniper rifle. It then summarizes challenges in securing IoT devices like limited resources, difficulty upgrading firmware, and lack of security software. Guidelines are provided for vendors, developers, and users to improve IoT security, such as using encryption, patching vulnerabilities, and educating users. Finally, the document demonstrates hacking a DTH set-top box by disturbing service, recording shows without permission, and stealing recordings.
Managed security service providers (MSSPs) value the Saner Business endpoint security solution for its ability to:
1) Find and eliminate vulnerabilities across networks in an automated and simple way.
2) Offer discrete security services and support regulatory compliance standards through continual assessment and remediation.
3) Provide continuous monitoring and detection of advanced threats that other solutions may overlook.
The document discusses the challenges of managing IT security with many individual point products that have overlapping functionality and features. It introduces the SecPod SanerNow platform as a single platform approach for provisioning various security and endpoint management tools on demand to address specific tasks in a simpler and more cost-effective manner. Key benefits highlighted include reducing costs by up to 60%, easing management and improving security through continuous monitoring, vulnerability assessment, and threat detection and response capabilities.
SanerNow Endpoint Management (EM) is a cloud-delivered
service that allows complete control over all your endpoint
systems. It provides visibility into the status of endpoints and
equips you with hundreds of built-in checks. SanerNow
Endpoint Management provides necessary features for
managing endpoints.
SanerNow Asset Management (AM) is a cloud-delivered
service that tracks assets installed on hosts, the open
vulnerabilities in the OS and applications, their patch or update
levels, and prioritizes remediation tasks - all critical to the
deep visibility required to prevent attacks and data breaches.
SanerNow Patch Management (PM) is a cloud-delivered
service that identifies and automatically rolls out patches
according to rules and jobs defined by the user. If necessary, it
automatically reboots systems after applying patches and can
roll back installed patches. SanerNow’s patch management
process is timely, responsive and systematically managed.
SanerNow Vulnerability Management (VM) is a cloud delivered
service that performs an automated daily vulnerability scan. Organizations can discover their threat and vulnerability risk in less than five minutes. SanerNow VM provides continuous visibility into IT systems. Its time-testedSCAP Feed database delivers comprehensive vulnerability coverage.
Many Products, No Security
So many products: Organizations invest in multiple products, many with overlapping
capabilities. And investments are huge when considering the cost of products,maintenance, professional services, training and vendor management.
SanerNow a platform for Endpoint security and systems ManagementSecPod Technologies
Endpoint security can be more effective and less costly by simplifying management through a unified platform rather than multiple point products. Currently, organizations invest heavily in numerous security products yet still struggle with attacks, complexity, and high costs. A single platform called SanerNow provides tools to automate tasks like vulnerability management, patching, and threat detection through continuous monitoring from the cloud. It aims to reduce security costs by up to 60% by addressing issues holistically rather than relying on numerous specialized products with overlapping functionality.
Healthcare industry is becoming a popular victim to ransowmare attacks. The following infographic based on some study and statistics depicts the healthcare industry's fight against ransomware.
SecPod Saner is an endpoint security solution that provides continuous visibility and control over endpoints. It proactively remediates risks and detects and responds to threats using vulnerability management, patch management, compliance management, and endpoint threat detection and response. Saner allows administrators to gain wide visibility into endpoint activities, create rules to monitor for deviations and fix issues, manage transient devices to keep them protected and up-to-date, create and enforce security compliance policies, and view real-time status reports.
This document discusses an endpoint security as a service offering that provides continuous endpoint visibility and control. It allows organizations to offer compelling security services by providing visibility into risks, automatically detecting and fixing vulnerabilities in real-time, and ensuring compliance. This increases client revenue through expanded services and introduces new services while also increasing profit margins by maximizing client value and minimizing technical resource costs. The document then introduces a new proactive approach to endpoint security using Saner, which provides real-time endpoint visibility, automatically fixes vulnerabilities and misconfigurations, and detects and responds to threats in seconds through prevention-first capabilities.
Saner is an endpoint security solution that provides continuous visibility and control of endpoints. It takes a proactive approach to security by detecting threats and responding before exploits can occur. Saner collects security posture data from endpoints and correlates it with threat intelligence to detect risks and indicators of compromise in real-time. It then automatically fixes vulnerabilities, misconfigurations, and responds to incidents. The solution aims to simplify and automate endpoint security management while reducing costs and ensuring compliance.
SecPod Saner provides continuous visibility and control for all endpoints. It proactively remediates risks and detects and responds to threats. Saner combines endpoint vulnerability, patch and compliance management with endpoint threat detection and response into one easy to manage solution.
Ransomware has evolved since its origins in 1989 when the first known "AIDS" trojan spread via floppy disks. There are two main types - locker ransomware that denies access to devices, and crypto ransomware that encrypts files until ransom is paid. Notable examples like Cryptolocker and CryptoLocker have targeted home users, businesses, and public agencies on computers, servers, and mobile devices. Ransomware infects through malicious advertisements, spam emails, downloaders, botnets, and social engineering. Profits from ransomware have grown substantially, reaching over $18 million in 2015. Ransomware impacts many countries worldwide, with payments typically demanded through vouchers or bitcoins.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Trusted Execution Environment for Decentralized Process MiningLucaBarbaro3
Presentation of the paper "Trusted Execution Environment for Decentralized Process Mining" given during the CAiSE 2024 Conference in Cyprus on June 7, 2024.
Digital Marketing Trends in 2024 | Guide for Staying AheadWask
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...alexjohnson7307
Predictive maintenance is a proactive approach that anticipates equipment failures before they happen. At the forefront of this innovative strategy is Artificial Intelligence (AI), which brings unprecedented precision and efficiency. AI in predictive maintenance is transforming industries by reducing downtime, minimizing costs, and enhancing productivity.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
A Comprehensive Guide to DeFi Development Services in 2024Intelisync
DeFi represents a paradigm shift in the financial industry. Instead of relying on traditional, centralized institutions like banks, DeFi leverages blockchain technology to create a decentralized network of financial services. This means that financial transactions can occur directly between parties, without intermediaries, using smart contracts on platforms like Ethereum.
In 2024, we are witnessing an explosion of new DeFi projects and protocols, each pushing the boundaries of what’s possible in finance.
In summary, DeFi in 2024 is not just a trend; it’s a revolution that democratizes finance, enhances security and transparency, and fosters continuous innovation. As we proceed through this presentation, we'll explore the various components and services of DeFi in detail, shedding light on how they are transforming the financial landscape.
At Intelisync, we specialize in providing comprehensive DeFi development services tailored to meet the unique needs of our clients. From smart contract development to dApp creation and security audits, we ensure that your DeFi project is built with innovation, security, and scalability in mind. Trust Intelisync to guide you through the intricate landscape of decentralized finance and unlock the full potential of blockchain technology.
Ready to take your DeFi project to the next level? Partner with Intelisync for expert DeFi development services today!
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
Azure API Management to expose backend services securely
Our talk in Black Hat Asia 2015 Briefing
1. Security Content Metadata Model with an Efficient Search
Methodology for Real Time Monitoring and Threat
Intelligence
Preeti Subramanian
Abstract
The Security Content Automation Protocol
(SCAP) federates a number of open standards
that are used to enumerate software flaws
and configuration issues related to security.
They measure systems to find vulnerabilities
and offer methods to score those findings in
order to evaluate the possible impact. There
are a number of SCAP components such as
Common Vulnerabilities and Exposures (CVE),
Common Configuration Enumeration (CCE),
Common Platform Enumeration (CPE),
Common Remediation Enumeration (CRE),
Extensible Configuration Checklist Description
Format (XCCDF), and Open Vulnerability and
Assessment Language (OVAL). Malware
Attribute Enumeration and Characterization
(MAEC) is a standardized language for
encoding and communicating high-fidelity
information about malware based upon
attributes such as behaviours, artefacts, and
attack patterns. These standards render data
in the form of XML.
Although these standards are linked to each
other, there is a lack of commonality in their
XML schema definitions. There is a need for a
unique common metadata schema to
represent important aspects relevant for
designing efficient search mechanism. This
common metadata supports distribution of
data across various repositories that render
SCAP content. Across all security content
databases unique identification and a short
description will be common. In addition, this
model makes building of relations to multiple
components of SCAP intuitive. Differentiating
attributes of security content can be
represented as a list of properties, each
property being a key-value pair. For example,
in the case of CVE, (CVSS, 9.4) represents the
key CVSS and a score of 9.4, where CVSS is
Common Vulnerability Severity Score. In this
model, modifications to the schema of SCAP
components can easily be accommodated by
just adding or deleting a property key-value
pair without changing the model. Searching
on this metadata enables fast response to
queries and helps interlace various SCAP
components; e.g., OVAL references CVE and
each CVE depends on various platforms and
products denoted by CPEs. This model enables
Natural Language Processing (NLP) and
renders meaningful responses to queries such
as most vulnerable applications, OVAL
definitions, vulnerabilities in Adobe Reader in
2014, recent threats etc. 90% of malware
attacks make use of an existing vulnerability in
the system. This archetype aids to resolve
vulnerabilities before an attack happens. In a
case where system events are continuously
monitored, this model also helps understand
an incident in a machine and analyse to
determine if it is a malware attack. It will
additionally help to scrutinize which
vulnerability was exploited by the malware
and most importantly, fix the vulnerability to
prevent further attacks.
2. Background
As an organizational security protection
mechanism, we need to implement
different silos of security technologies,
vulnerability management, patch
management, incident response or
security information and event
management (SIEM), malware
management, intrusion detection
systems. Each of these operates with
different sets of data, often only
understood by them. However, the
underlying common goal is to protect an
organization or an entity from adversaries.
This poses two questions:
Firstly, why is there a lack of
commonality or inter-relationship
between these data sets?
Secondly, why don’t these
products talk to each other and
devise a response mechanism
which works like a single system?
These questions lay the foundation of
Security Content Automation Protocol,
commonly known as SCAP and few other
additional standards being developed part
of the National Institute of Standards and
Technology (NIST) and other standards
bodies.
Understanding SCAP
Security Content Automation Protocol,
SCAP is a suite of specifications that
standardize the format and nomenclature
by which software flaw and security
configuration information is
communicated, both to machines and
humans. SCAP is a multi-purpose
framework of specifications that support
automated configuration, vulnerability
and patch checking, technical control
compliance activities, and security
measurement. Goals for the development
of SCAP include standardizing system
security management, promoting
interoperability of security products, and
fostering the use of standard expressions
of security content.
SCAP is categorized into Languages,
Metrics, Enumeration, Reporting formats
and Integrity.
Languages
SCAP provides conventions to express
vulnerability assessment, security policies
and technical check mechanism in the
form of OVAL, XCCDF and OCIL.
Enumeration
SCAP defines a naming format and a list of
items that are defined in that
nomenclature. It consists of CPE, CCE, CVE
and CWE.
Metrics
Measurement and scoring systems in
SCAP refers to evaluation of each security
weakness and assign a score to each of
these weaknesses. Common Vulnerability
Scoring System (CVSS) and Common
Configuration Scoring System (CCSS) are
the scoring system.
Reporting Formats
SCAP describes reporting format that
provides necessary constructs to express
collected information in standardized
formats. The SCAP reporting format
3. specifications are Asset Reporting Format
(ARF) and Asset Identification.
Integrity
An SCAP integrity specification helps to
preserve the integrity of SCAP content and
results. Trust Model for Security
Automation Data (TMSAD) is the SCAP
integrity specification.
SCAP touches all the requirements for
automating information exchange
between two entities. It is a synthesis of
interoperable specifications derived from
community ideas.
SCAP Content Metadata Model
SCAP language and reporting format are
expressed in XML format. XML helps
exchange of complex information in a
simple text structure over the web and it
is highly interoperable. Besides these
advantages, there are drawbacks in
expressing SCAP language and reporting
content in XML format. Large content
articulated in the form of XML becomes
bulky. Since the content is extensive in
nature, search and analysis of this content
becomes a challenging task.
This gives rise to the need of extracting
relevant information in a standardized
manner, which we refer to as ‘metadata
of security content’. This content has to
be concrete and should be understood by
receiver of information, machine or
human to take crucial actions to fix a
malware attack on the system.
Metadata of security content can be
expressed in the form of key value pair.
Each construct of SCAP content has a
property; hence the key becomes the
property name and value being the data
after evaluation.
The diagram below outlines the metadata
design of SCAP content:
Figure 1: Metadata schema diagram
5. Here is an example of vulnerability,
Adobe Flash Player (prior to 13.0.0.262
and 14.x through 16.x before 16.0.0.287
on Windows and OS X and prior to
11.2.202.438 on Linux) does not properly
restrict discovery of memory addresses,
which allows attackers to bypass the ASLR
protection mechanism on Windows, and
have an unspecified impact on other
platforms, via unknown vectors, as
exploited in the wild in January 2015.
Table 1: Impact of CVE-2015-0310
Property Value
CVSS v2 Base
Score
10.0(HIGH)
(AV:N/AC:L/Au:N/C:C/I:C
/A:C) (legend)
Impact
Subscore
10.0
Exploitability
Subscore
10.0
Table 2: CVSS Version 2 Metrics of CVE-
2015-0310
Property Value
Access Vector Network exploitable
Access
Complexity
Low
**NOTE: Access
Complexity scored Low
due to insufficient
information
Authentication Not required to
exploit
Impact Type Allows unauthorized
disclosure of
information; Allows
unauthorized
modification; Allows
disruption of service
Table 3 shows an example of metadata of CVE-2015-0310 that specifies vulnerability in
Adobe Flash Player and earlier versions that has high severity score of 10.0.
Table 3: Metadata of CVE-2015-0310
Metadata
Id CVE-2015-0310
Desc Adobe Flash Player before 13.0.0.262 and 14.x through 16.x before
16.0.0.287 on Windows and OS X and before 11.2.202.438 on Linux
does not properly restrict discovery of memory addresses, which
allows attackers to bypass the ASLR protection mechanism on
Windows, and have an unspecified impact on other platforms, via
unknown vectors, as exploited in the wild in January 2015.
URI http://www.scaprepo.com/control.jsp?command=viewXML&id=CVE-
2015-0310
6. Created-Date 2015-01-27
Modified-Date 2015-02-05
Score 10.0
Exploitability_score 10.0
Impact_score 10.0
Access_vector NETWORK
Access_complexity LOW
Availability_impact COMPLETE
Authentication_status NONE
Confidentiality_impact COMPLETE
Integrity_impact COMPLETE
Ext_ref CONFIRM
http://helpx.adobe.com/security/products/flash-player/apsb15-
02.html
Published-Date 2015-01-23
Generated-Date 2015-01-26
The above data can be stored in
databases, relational databases such as
SQL or big data storage. Big data storage is
designed to store large amounts of data. It
stores information in key-value pair and
supports efficient querying and
information retrieval techniques. Though
big data architecture and use plays an
important role in storage of metadata,
explanation of big data is out of the scope
of the paper.
7. For information exchange, metadata can be expressed in XML format,
<metadata xmlns="http://www.scaprepo.com/SCAPRepoWebService/schema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-
instance"xsi:schemaLocation="http://www.scaprepo.com/SCAPRepoWebService/schema
http://www.scaprepo.com/SCAPRepoWebService/schema/metadata.xsd">
<entities>
<entity>
<id>CVE-2015-0310</id>
<uri>
http://www.scaprepo.com/control.jsp?command=viewXML&id=CVE-
2015-0310
</uri>
<desc>
Adobe Flash Player before 13.0.0.262 and 14.x through 16.x before
16.0.0.287 on Windows and OS X and before 11.2.202.438 on Linux does not properly
restrict discovery of memory addresses, which allows attackers to bypass the ASLR
protection mechanism on Windows, and have an unspecified impact on other
platforms, via unknown vectors, as exploited in the wild in January 2015.
</desc>
<created-date>2015-01-27</created-date>
<modified-date>2015-02-05</modified-date>
<properties>
<property key="Desc">
Adobe Flash Player before 13.0.0.262 and 14.x through 16.x
before 16.0.0.287 on Windows and OS X and before 11.2.202.438 on Linux does not
properly restrict discovery of memory addresses, which allows attackers to bypass
the ASLR protection mechanism on Windows, and have an unspecified impact on other
platforms, via unknown vectors, as exploited in the wild in January 2015.
</property>
<property key="Score">10.0</property>
<property key="Exploitability_score">10.0</property>
<property key="Impact_score">10.0</property>
<property key="Access_vector">NETWORK</property>
<property key="Access_complexity">LOW</property>
<property key="Availability_impact">COMPLETE</property>
<property key="Authentication_status">NONE</property>
<property key="Confidentiality_impact">COMPLETE</property>
<property key="Integrity_impact">COMPLETE</property>
<property key="Ext_ref">
http://helpx.adobe.com/security/products/flash-player/apsb15-
02.html CONFIRM
http://helpx.adobe.com/security/products/flash-player/apsb15-
02.html
</property>
<property key="Publisheddate">2015-01-23</property>
<property key="Modifieddate">2015-01-26</property>
<property key="Generateddate">2015-01-26</property>
<property key="Created-Date">2015-01-27</property>
<property key="Modified-Date">2015-02-05</property>
</properties>
</entity>
</entities>
</metadata>
8. In this example, CVE-2015-0310 is related
to product Adobe Flash Player versions
11.2.202.429, 16.0.0.257, 14.0.0.145, and
14.0.0.125 then we can certainly map
them to product enumeration, CPEs:
cpe:/a:adobe:flash_player:11.2.202.429,
cpe:/a:adobe:flash_player:16.0.0.257,
cpe:/a:adobe:flash_player:14.0.0.145, and
cpe:/a:adobe:flash_player:14.0.0.125
Further, it can be associated to weakness
enumeration CWE-264 - Permissions,
Privileges, and Access Controls which
contains detection methods and potential
mitigation information and to
vulnerability assessment signatures
articulated in OVAL.
Searching on SCAP Metadata
The creation of SCAP Metadata judiciously
reduces the size of security content to be
examined. Subsequently, efficient search
mechanisms can be implemented on this
data to get information for vulnerability
assessment and incident response
information.
Each SCAP entity in this model is
correlated to other relevant entities using
references as described in previous
section. With this information, tracing the
query across different entities of SCAP
becomes straight-forward.
For instance, a vulnerability search results
in CVEs and each CVE has a detection
signature that is written in OVAL. Each
vulnerability and detection signature is
mapped to a remediation patch or
hardening measure. This helps fix an issue
before an attack happens, and thus acts as
the first line of defence against malware.
Natural Language Processing (NLP) can be
implemented that can define linguistics of
security content search interactions.
Search implementation can also be
enhanced to include date/time related
queries.
Examples of Metadata Search
Below are a few examples of metadata
searches:
Search query “Recent threats” lists a set
of latest vulnerabilities that might be a
threat to your organization
Figure 2: Search query ‘Recent threats’
Another search query “last month adobe
vulnerabilities” lists all vulnerabilities
9. reported in the previous month. (See
Figure 3)
Figure 3: Search query ‘last month adobe
vulnerabilities’
The above query lists all vulnerabilities. In
order to further refine this search, we can
look for vulnerabilities which have a high
severity score.
Such queries can assist system
administrators to identify which
vulnerabilities are critical and need to be
addressed quickly.
For a search query “Adobe vulnerabilities
having score 10.0”, see figure 4)
Figure 4: Search query ‘Adobe
vulnerabilities having score 10.0’
How to use metadata?
Local and remote scan can be performed
on systems to collect system information
and produce results in a standard format.
Based on system metadata, data analytics
can be implemented on results content to
understand and co-relate various
parameters of data. For instance, risk can
be computed based on the count and
score of vulnerabilities present in each
system of an organization.
This metadata also supports storage of
organizations’ benchmark, compliance
data such as PCI DSS, ISO, and HIPAA and
compliance checks that need to be
performed on the systems to know if
systems are yielding to the benchmark set
by the organization.
10. Once the data is collected from various
systems, a holistic view of the security
posture of the organization can be
observed from metrics, figures and
plotting graphs.
Also, if an incident occurs in the system,
we can co-relate various entities of SCAP
and fix the issue.
Figure 5 shows the flow of incidence
response mechanism.
Figure 5: Flow of Incidence Response
Real Time Threat Monitoring using
Security Content Metadata Model
We measure the security posture of an
organization using various assessments
and auditing products. Each product
produces large data sets that are limited
to the nature of the product.
“How do we identify incidents in a sea of
data?”
SCAP metadata along with malware
characteristics and events data from
systems defines the groundwork of
incident response framework. A scan
report (see Reporting Format Section)
consists of data collected from the
system. Once we get the required data,
we can arrive at an actionable measure to
fix the issue.
This can be explained with an example:
A bizarre exe inj_adb.exe exists in the
system and was executed with PID as an
argument. This PID is the process ID of a
sandboxed Adobe Reader process. As a
result, a new file is created named ‘adbe’.
This appears suspicious and requires some
action.
When system information is collected and
events are reported, we can co-relate this
incident with the product Acrobat Reader.
Using system information, it will be clear
that the version of Acrobat Reader in
Windows is 11.0.8, which is vulnerable to
attacks.
•Collects events from system
•Collects processes, ports,
applications information
Events
collection
•Suspicious events are marked as
incidents
Incident
Identification •Products are identified using co-
relation
•Vulnerabilities related to
products are identified
•Remediation is identified for the
vulnerabilities present and
prevents further attacks
Analytics and
Correlation
11. The CVE explains that the Acrobat Reader
Windows sandbox is vulnerable to NTFS
junction attack. An NTFS junction point is
a symbolic link to a directory that acts as
an alias of that directory. This vulnerability
allows malware to write an arbitrary file
to the file system under user permissions.
This could be used to break out of the
sandbox leading to execution at higher
privileges. This is marked as CVE-2014-
9150.
Remediation suggests removal of adbe
file, inj_adb.exe and unwanted .dll
present in the location of the sandboxed
process, in conjunction to upgrading this
Adobe product to fix known
vulnerabilities. Common Remediation
Enumeration CRE gives us the patch to be
installed to upgrade Adobe Acrobat
Reader.
This vulnerability is related to weakness
enumeration CWE-362, Concurrent
Execution using Shared Resource with
Improper Synchronization ('Race
Condition').
From these CWE, we arrive at attack
patterns CAPDEC-26 and CAPDEC-29.
CAPDEC stands for Common Attack
Pattern Enumeration and Classification, a
community resource for identifying and
understanding attacks.
Additionally, this scenario of ascertaining
unwanted behaviour and fixing issue
caters to safeguarding us against attacks
in future.
Summary
The metadata model stores security
intelligence. Due to efficient analytics and
correlation of various SCAP entities, it
reduces the time of attack detection and
remediation of the outbreak. 90% of the
attacks make use of vulnerabilities that
exist in the computer systems. Due to the
complexity of attacks and enormous
volume of data it may not be possible to
quickly identify vulnerabilities and attacks
and take appropriate actions to remediate
those weaknesses. If remediation fixes
take days and weeks to execute, this
opens a large window for attackers to
exploit our systems. Hence, it is vital to
work on a small set of information crafted
as metadata that accommodates
meaningful information to trace an attack,
resolve and protect our systems from
future attacks.
What next?
This metadata model can be used as a
foundation to design complex attack
detection and prevention mechanisms.
This will be inevitable in near future
because hackers are designing novel
techniques of attacking and compromising
the system. Mechanisms consuming this
metadata should be able to relate events
from a system report them as incidents in
case an action is needed, and eventually
stop an attack from happening. As the
underlying SCAP content evolves,
metadata schema should be able to
accommodate various attributes of attack
detection and protection.
12. Acronyms and Abbreviations
SCAP Security Content Automation
Protocol
CVE Common Vulnerabilities and
Exposures
CCE Common Configuration
Enumeration
CPE Common Platform Enumeration
CRE Common Remediation
Enumeration
XCCDF Extensible Configuration
Checklist Description Format
OVAL Open Vulnerability and
Assessment Language
MAEC Malware Attribute Enumeration
and Characterization
SIEM Security Incidents and Events
Management
CVSS Common Vulnerability Scoring
System
CCSS Common Configuration Scoring
System
XML Extensible Mark-up Language
XSD XML Schema Definition
ASLR Address space layout
randomization
References
The Technical Specification for the
Security Content Automation Protocol
(SCAP): SCAP Version 1.2 (September
2011)
http://csrc.nist.gov/publications/nistp
ubs/800-126-rev2/SP800-126r2.pdf
National Cyber Awareness System
Vulnerability Summary
http://web.nvd.nist.gov/
Metadata repository
https://www.scaprepo.com/SCAPRep
oWebService
Adobe Security Bulletin
http://helpx.adobe.com/security/pro
ducts/flash-player/apsb15-02.html
Author:
Preeti Subramanian
Working as Software Architect at
SecPod Technologies
Bangalore, India
Email: spreeti@secpod.com