This document discusses whether application security is more of a science or a quality assurance process. It argues that security and quality assurance teams should work together, as a collaborative approach is more powerful. Various security tools and techniques are demonstrated, such as exploiting file upload vulnerabilities, local file inclusion, and directory traversal. The document encourages becoming a security analyst by using OWASP resources, doing research, and participating in the security community.
+ Background & Basics of Web App Security, The HTTP Protocol, Web.
+ Application Insecurities, OWASP Top 10 Vulnerabilities (XSS, SQL Injection, CSRF, etc.)
+ Web App Security Tools (Scanners, Fuzzers, etc), Remediation of Web App
+ Vulnerabilities, Web Application Audits and Risk Assessment.
Web Application Security 101 was conducted by:
Vaibhav Gupta, Vishal Ashtana, Sandeep Singh from Null.
+ Background & Basics of Web App Security, The HTTP Protocol, Web.
+ Application Insecurities, OWASP Top 10 Vulnerabilities (XSS, SQL Injection, CSRF, etc.)
+ Web App Security Tools (Scanners, Fuzzers, etc), Remediation of Web App
+ Vulnerabilities, Web Application Audits and Risk Assessment.
Web Application Security 101 was conducted by:
Vaibhav Gupta, Vishal Ashtana, Sandeep Singh from Null.
Oh, WASP! Security Essentials for Web AppsTechWell
The past few years have seen a rapid increase in business efficiency through Web-based applications. Unfortunately, a dramatic increase in the number of web application vulnerabilities has followed. Insecure web applications can be disastrous for mission critical businesses and users' sensitive data. More than 70 percent of security vulnerabilities are due to flaws in the application rather than firewall breaches. Bennie Paul explains how security testing has become an indispensable part of the SDLC for businesses operating online today. OWASP (Open Web Application Security Project) provides open source tools, code, and materials to develop, test, and maintain application security. Monitoring the “OWASP Top 10” web application security flaws is highly recommended as part of an organization’s testing methodology. Vulnerabilities identified are compared against the organization’s security objectives and regulations, and categorized accordingly for remediation. Benny guides you through the OWASP vulnerabilities, technique, framework, and preventive measures that you can adopt for building better software.
Finacle paper on secure coding practices gives an insight into application coding security and highlights how comprehensive approach in security is need to not only secure code but also web servers and databases.
This is a detailed presentation of our web security suite - SECURITY-TESTING. It's a cloud based product, providing solutions under 6 modules - SERM, Scanning, Detection, Monitoring, Performance and Inventory. For more details please visit our website www.security-testing.net
The Open Web Application Security Project is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
Web App Security - A presentation by Ryan Holland, Sr. Director, Cloud Architecture at Alert Logic for the Vancouver AWS User Group Meetup on May 31, 2017.
Oh, WASP! Security Essentials for Web AppsTechWell
The past few years have seen a rapid increase in business efficiency through Web-based applications. Unfortunately, a dramatic increase in the number of web application vulnerabilities has followed. Insecure web applications can be disastrous for mission critical businesses and users' sensitive data. More than 70 percent of security vulnerabilities are due to flaws in the application rather than firewall breaches. Bennie Paul explains how security testing has become an indispensable part of the SDLC for businesses operating online today. OWASP (Open Web Application Security Project) provides open source tools, code, and materials to develop, test, and maintain application security. Monitoring the “OWASP Top 10” web application security flaws is highly recommended as part of an organization’s testing methodology. Vulnerabilities identified are compared against the organization’s security objectives and regulations, and categorized accordingly for remediation. Benny guides you through the OWASP vulnerabilities, technique, framework, and preventive measures that you can adopt for building better software.
Finacle paper on secure coding practices gives an insight into application coding security and highlights how comprehensive approach in security is need to not only secure code but also web servers and databases.
This is a detailed presentation of our web security suite - SECURITY-TESTING. It's a cloud based product, providing solutions under 6 modules - SERM, Scanning, Detection, Monitoring, Performance and Inventory. For more details please visit our website www.security-testing.net
The Open Web Application Security Project is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
Web App Security - A presentation by Ryan Holland, Sr. Director, Cloud Architecture at Alert Logic for the Vancouver AWS User Group Meetup on May 31, 2017.
Virtual Machine Introspection - Future of the CloudTjylen Veselyj
In this presentation I'm talking about feature of VMI technology that are vital for malware analysis, intrusion detection and attack prevention in virtualized environment. This presentation is part of my Ph.D. work and contain summary of VMI state in 2013.
This presentation talks about the focus towards building security in the software development life cycle and covers details related to Reconnaissance, Scanning and Attack based test design and execution approach.
In the agile, lean, devops communities people talk about improving security by "shifting left". Patterns and tools are emerging, or re-emerging, that make security less of a pain in the development process while also making applications more secure.
BSidesLondon 20th April 2011 - David Rook (@securityninja)
-----------------------
This demonstration filled talk will start by discussing the problems with the security code review approaches most people follow and the reasons why I created Agnitio. This will include a look at existing manual and automated static analysis procedures and tools. The talk will move onto exploring the Principles of Secure Development and how the principles have been mapped to over 60 different checklist items in Agnitio.
---- for more about David go to
http://www.securityninja.co.uk/
---- for more about Agnito go to
http://sourceforge.net/projects/agnitiotool/
Keeping security top of mind while creating standards for engineering teams following the DevOps culture. This talk was designed to show off how easily it is to automate security scanning and to be the developer advocate by showing the quality of development work. We will cover some high-level topics of DevSecOps and demo some examples DevOps team can implement for free.
With IoT being the buzz and all operating systems being integrated with central network and intruder in that can create major devastations than an IT system. For example, if someone can intrude into an electric utility network and operate on "SCADA" and entire network going down can be a bizarre or just assume the control system configured for addressing backup mechanism being turn down can result in blackouts.
Preventing Such havocs is what security framework should look into.
AppSec & OWASP Primer
By Matt Scheurer (@c3rkah)
Cincinnati, Ohio
Date: 09/17/2019
Cincinnati Tri-State (ISC)2 Chapter
September Meeting
Abstract:
Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP).
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG), an Ambassador for Bugcrowd, and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), Information Systems Security Association (ISSA), and InfraGard.
[CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst PROIDEA
Tematem mojej prezentacji będzie omówienie wybranych zagrożeń bezpieczeństwa, które są wykrywane i obsługwane przez analityków SOC. Zwrócę uwagę na incydenty bezpieczeństwa, które powinny być przedmiotem monitorowania w każdym SOC oraz wskażę przykłady implementacji mechanizmów detekcji wybranych zagrożeń.
W drugiej części prezentacji opowiem o stowarzyszeniu (ISC)2 Poland Chapter, a dokładniej czym się zajmujemy i jak można do nas dołączyć.
http://isc2chapter-poland.com/
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
Java is everywhere. According to Oracle it’s on 3 billion devices and counting. We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client.
In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in tacking security issues in Java.
Finding Security a Home in a DevOps WorldShannon Lietz
Presented this talk at DevOps Summit in 2015 to a DevOps community. Discovered that security is new to most DevOps teams and this was a very good discussion.
Geecon 2017 Anatomy of Java VulnerabilitiesSteve Poole
Java is everywhere. According to Oracle it’s on 3 billion devices and counting. We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client. In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in tacking security issues in Java.
Similar to Security hole #5 application security science or quality assurance (20)
6. So you know where to move ;)
Security is also metric
of Software Quality
“The simple truth is that catching
security holes earlier costs an
organization less to remediate, which
makes good business sense. ”
7. QA Engineer Security Analyst
In functional and performance
testing, the expected results are In security testing, the quality
documented before the test begins, and assurance team is concerned only
the quality assurance team looks at how with unexpected results and testing
well the expected results match the for the unknown.
actual results
8. Weapon
Passion Tools
Persistence Guides
Research Checklists
9. Collaboration and Team work
“ IT security and quality IT security
assurance working department, which will
together are exponentially help remove more risk
more powerful. The result and provide better
will be a more security- continuity ”
oriented QA department
and a more quality-
oriented
10. OWASP
SAMM WAF Development
Testing guide ASVS
guide
15. Smashing the app
Remote code execution – one of the most dangerous vulnerabilities in
web-apps
How to achieve a goal:
• Upload scripts to server
• Remote File Inclusion (RFI)
• Local File Inclusion (LFI)
16. Unrestricted file upload
File upload – vulnerability allow remote attacker to upload
files/scripts on server with special content or random extension.
This vulnerability exist through incorrect file extension implementation.
Incorrect methods of uploaded file extension validation :
• Validation of MIME-type of uploading file vs validation of
file extention
• Black-list extension validation
• Other errors…
Unsecure web-server/application server configuration play also important
role.
18. Changing MIME type
Validation sample:
<?php
$imageTypes = array("image/gif", "image/jpg", "image/png");
if(isset($_FILES["image"])) {
if(!in_array($_FILES["image"]["type"], $imageTypes)) {
die("Hacking Attempt!"); }
copy($_FILES["image"]["tmp_name"], "images/{$_FILES["image"]["name"]}");
} ?>
Problem: It’s easy to change type of file – as it’s setting by
browser in HTTP-request. And all variables that are set by
browser – can be easily changed by user.
20. Regular expressions
<?php
if(isset($_FILES["image"])) {
if(preg_match('#.jpg#i', $_FILES["image"]["name"])) {
copy($_FILES["image"]["tmp_name"], "images/{$_FILES["image"]["name"]}
");
} } ?>
In this sample name of uploaded file is checking for
string .jpg. But regular expression is working as control
symbol $ that indicate EOL is missed,.
As a result file shell.jpg.php will be successes fully
uploaded.
21. Right way
<?php
if(isset($_FILES["image"])) {
if(preg_match('#^[a-z0-9-
_]+.((jpg)|(png)|(bmp))$#i', $_FILES["image"]["name"])
){
move_uploaded_file($_FILES["image"]["tmp_name"], "ima
ges/{$_FILES["image"]["name"]}");
} }
?> White list
validation
22. Local File
Inclusion
Local File Inclusion – allow to include local files on remote server
and execute arbitrary code.
Reason: incorrect linked file validation, vulnerable server
configuration
Successfully LFI exploitation have three main task :
• Removing of postfix
• Directory Traversal
• Searching files for code injection
23. Directory
Traversal
Filtration can prevent Directory Traversal.
Very often developers apply Filtration of ../ :
<?php include(str_replace("../", "", $_GET["page"]).".inc"); ?>
../../../etc/passwd --> Filtration --> etc/passwd --> fail
But such filtration is not enough – it’s not recursive:
..././..././..././etc/passwd --> Filtration --> ../../../etc/passwd --> profit
24. Secure Validation
Secure Validation – validation of filename for service
symbols
if(preg_match('#[^a-z0-9-_]#i', $page)) {
die("Hacking Attempt!");
}
include("{$page}.inc");
In this sample if we will try to add file with symbols
other than A-Z, a-z, 0-9 and symbol «-» & «_» execution
of PHP-script will be interrupted.
25. So, how to become Security Analyst
Use OWASP Researches
Ask and share Participate in
community
Samurai WTF
talk on Security
Hole
Еще его называют «Воз» или «Стив из Apple» (ведь Возняк на пару с Джобсом основали AppleComputer). Воз начал заниматься хакерством с создания блю-боксов, которые позволяют пользователям обходить механизмы переключения в телефонных линиях, для того чтобы совершать междугородные звонки бесплатно. Джобс и Воз продавали эти блю-боксы сокурсникам и даже использовали один из них сами для звонка Папе Римскому, притворяясь Генри Киссинджером (госсекретарем США).ТсутомуШимомура осознанно открыл свой компьютер для второй атаки, чтобы выследить Митника. Вскоре после обнаружения взлома он собрал команду и продолжил работу по поимке
Адриан Ламо — известен взломом Yahoo, Citigroup, BankofAmerica иCingular.Джонатан Джеймс — американский хакер, стал первым несовершеннолетним, осужденным за хакерство.Кевин Поулсен — взломал базу данных ФБР и получил доступ к засекреченной информации, касающейся прослушивания телефонных разговоров. Поулсен долго скрывался, изменяя адреса и даже внешность, но в конце концов он был пойман и осужден на 5 лет. После выхода из тюрьмы работал журналистом, затем стал главным редактором WiredNews. Его самая популярная статья описывает процесс идентификации 744 сексуальных маньяков по их профилям в MySpace.Гэри Маккиннон — обвиняется во взломе 53-х компьютеров Пентагона и НАСА в 2001—2002 годах в поисках информации об НЛО.Джеймс стал самым молодым хакером в истории. Еще в 16 лет его отправили в тюрьму за компьютерные атаки на подразделения Министерства обороны США. Благодаря этому взлому он получил доступ к именам пользователей и паролям, а также смог просматривать письма высокой секретности. Среди его «побед» нужно отметить проникновение в сеть NASA (он умудрился украсть ПО на сумму больше чем в $1,5 млн). После обнаружения взлома NASA пришлось отключить систему для проверки, что обошлось налогоплательщикам в $41 000. Сейчас Джеймс, как многие другие его коллеги-«черношапочники», стал законопослушным гражданином и планирует открыть компанию по обеспечению компьютерной безопасности.
Завжди знайдеться розширення файлу яке не входить в список