#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWSAlert Logic
Clarke Rodgers (CISO, SCOR Velogica)'s presentation on SCOR's journey to SOC2/TYPE2 via AWS at the NYC Alert Logic Cloud Security Summit on June 14th, 2016.
#ALSummit: Amazon Web Services: Understanding the Shared Security ModelAlert Logic
Bill Murray (Director of Security Programs, AWS)'s presentation on the Shared Security Model at the NYC Alert Logic Cloud Security Summit on June 14th, 2016.
Why Java Server App Security Should Be Keeping You up at Night
The success of Java in the enterprise has made it a popular target for cyber attacks via SQL Injection, zero day malware and un-patched vulnerabilities. Join Waratek to hear why traditional approaches to application protection including vulnerability analysis, coding best practices and network security appliances are unable to keep up with Java threats. You’ll learn about a new approach that Gartner calls Run-time Application Self Protection or RASP, which protects Java server applications from the inside out by putting security in the Java Virtual Machine.
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWSAlert Logic
Clarke Rodgers (CISO, SCOR Velogica)'s presentation on SCOR's journey to SOC2/TYPE2 via AWS at the NYC Alert Logic Cloud Security Summit on June 14th, 2016.
#ALSummit: Amazon Web Services: Understanding the Shared Security ModelAlert Logic
Bill Murray (Director of Security Programs, AWS)'s presentation on the Shared Security Model at the NYC Alert Logic Cloud Security Summit on June 14th, 2016.
Why Java Server App Security Should Be Keeping You up at Night
The success of Java in the enterprise has made it a popular target for cyber attacks via SQL Injection, zero day malware and un-patched vulnerabilities. Join Waratek to hear why traditional approaches to application protection including vulnerability analysis, coding best practices and network security appliances are unable to keep up with Java threats. You’ll learn about a new approach that Gartner calls Run-time Application Self Protection or RASP, which protects Java server applications from the inside out by putting security in the Java Virtual Machine.
SecDevOps 2.0 - Managing Your Robot Armyconjur_inc
Configuration management builds systems to run the code, Orchestration spins up and manages entire systems, and SDN creates the network architecture. All of these things are programmable, the entire system can be operated by a developer from a terminal. Teams of 5 or 6 people can build and operate really big systems.
Waratek Securing Red Hat JBoss from the Inside OutWaratek Ltd
The Waratek security plugin hardens legacy and current Java
Runtime, the JBoss application server and the Application itself by
adding security features and benefits across the full application
stack.
DevSecOps, or SecDevOps has the ambitious goal of integrating development, security and operations teams together, encouraging faster decision making and reducing issue resolution times. This session will cover the current state of DevOps, how DevSecOps can help, integration pathways between teams and how to reduce fear, uncertainty and doubt. We will look at how to move to security as code, and integrating security into our infrastructure and software deployment processes.
Deploying Secure Modern Apps in Evolving InfrastructuresSBWebinars
Software development is changing. It is now measured in days instead of months. Microservice architectures are preferred over monolithic centralized app architecture, and cloud is the preferred environment over hardware that must be owned and maintained.
In this webinar, we examine how these new software development practices have changed web application security and review a new approach to protecting assets at the web application layer.
Attendees will learn:
The changes in development models, architecture designs, and infrastructure
How these changes necessitate a new approach to web application security
How development teams can effectively stay secure at the speed of DevOps
Secure Cloud Development Resources with DevOpsCloudPassage
Adoption of cloud resources by development teams has created a security problem. The self-service and on-demand nature of the cloud increases the company attack surface in unknown ways. How can security operations teams ensure the DevOps teams maintain their needed agility while also being compliant to company security requirements?
Presented by Andrew Storms and Eric Hoffman at RSAC 2014
Microsegmentation from strategy to executionAlgoSec
Organizations heavily invest in security solutions to keep their networks safe, but still struggle to close the security gaps. Micro-segmentation helps protect against the lateral movement of malware and minimizes the risk of insider threats. Micro-segmentation has received lots of attention as a possible solution, but many IT security professionals aren’t sure where to begin or what approach to take.
In this practical webinar, Prof. Avishai Wool, AlgoSec’s CTO and co-founder will guide you through each stage of a micro-segmentation project – from developing the correct micro-segmentation strategy to effectively implementing it and continually maintaining your micro-segmented network.
Register now for this live webinar and get a practical blueprint to creating your micro-segmentation policy:
What is micro-segmentation.
Common pitfalls in micro-segmentation projects and how to avoid them.
The stages of a successful micro-segmentation project.
The role of policy change management and automation in micro-segmentation.
Cloud Security: Make Your CISO SuccessfulCloudPassage
Enterprises today cannot get by without a clear strategy for cloud security. Whether the organization’s adoption of cloud environments (private, public or hybrid) is mandated by business strategy or by unsanctioned employee use, CISOs and their security teams need to be prepared for this inevitable infrastructure shift.
Attend and learn how to build a cloud security strategy that makes your CISO successful. Join Rich Mogull, lead analyst at Securosis, and Nick Piagentini, Solution Architect at CloudPassage as they discuss the following topics:
-Cloud is Different, But Not the Way You Think
-Adapting Security for Cloud Computing Principles
-Getting Started: Practical Applications
-CISO Cloud Security Checklist
SecDevOps 2.0 - Managing Your Robot Armyconjur_inc
Configuration management builds systems to run the code, Orchestration spins up and manages entire systems, and SDN creates the network architecture. All of these things are programmable, the entire system can be operated by a developer from a terminal. Teams of 5 or 6 people can build and operate really big systems.
Waratek Securing Red Hat JBoss from the Inside OutWaratek Ltd
The Waratek security plugin hardens legacy and current Java
Runtime, the JBoss application server and the Application itself by
adding security features and benefits across the full application
stack.
DevSecOps, or SecDevOps has the ambitious goal of integrating development, security and operations teams together, encouraging faster decision making and reducing issue resolution times. This session will cover the current state of DevOps, how DevSecOps can help, integration pathways between teams and how to reduce fear, uncertainty and doubt. We will look at how to move to security as code, and integrating security into our infrastructure and software deployment processes.
Deploying Secure Modern Apps in Evolving InfrastructuresSBWebinars
Software development is changing. It is now measured in days instead of months. Microservice architectures are preferred over monolithic centralized app architecture, and cloud is the preferred environment over hardware that must be owned and maintained.
In this webinar, we examine how these new software development practices have changed web application security and review a new approach to protecting assets at the web application layer.
Attendees will learn:
The changes in development models, architecture designs, and infrastructure
How these changes necessitate a new approach to web application security
How development teams can effectively stay secure at the speed of DevOps
Secure Cloud Development Resources with DevOpsCloudPassage
Adoption of cloud resources by development teams has created a security problem. The self-service and on-demand nature of the cloud increases the company attack surface in unknown ways. How can security operations teams ensure the DevOps teams maintain their needed agility while also being compliant to company security requirements?
Presented by Andrew Storms and Eric Hoffman at RSAC 2014
Microsegmentation from strategy to executionAlgoSec
Organizations heavily invest in security solutions to keep their networks safe, but still struggle to close the security gaps. Micro-segmentation helps protect against the lateral movement of malware and minimizes the risk of insider threats. Micro-segmentation has received lots of attention as a possible solution, but many IT security professionals aren’t sure where to begin or what approach to take.
In this practical webinar, Prof. Avishai Wool, AlgoSec’s CTO and co-founder will guide you through each stage of a micro-segmentation project – from developing the correct micro-segmentation strategy to effectively implementing it and continually maintaining your micro-segmented network.
Register now for this live webinar and get a practical blueprint to creating your micro-segmentation policy:
What is micro-segmentation.
Common pitfalls in micro-segmentation projects and how to avoid them.
The stages of a successful micro-segmentation project.
The role of policy change management and automation in micro-segmentation.
Cloud Security: Make Your CISO SuccessfulCloudPassage
Enterprises today cannot get by without a clear strategy for cloud security. Whether the organization’s adoption of cloud environments (private, public or hybrid) is mandated by business strategy or by unsanctioned employee use, CISOs and their security teams need to be prepared for this inevitable infrastructure shift.
Attend and learn how to build a cloud security strategy that makes your CISO successful. Join Rich Mogull, lead analyst at Securosis, and Nick Piagentini, Solution Architect at CloudPassage as they discuss the following topics:
-Cloud is Different, But Not the Way You Think
-Adapting Security for Cloud Computing Principles
-Getting Started: Practical Applications
-CISO Cloud Security Checklist
Do you have information security skills and want to know what wage you could be earning and what role you could have? In our latest infographic we show you the top information security skills with the corresponding wage and role.
Web applications are arguably the most important back-end component of any online business. They are used to power many of the features most of us take for granted on a website
AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules. You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application. New rules can be deployed within minutes, letting you respond quickly to changing traffic patterns. Also, AWS WAF includes a full-featured API that you can use to automate the creation, deployment, and maintenance of web security rules.
Presented by: Alessandro Esposito, Cloudfront Account Manager, Amazon Web Services
Sql injection bypassing hand book blackroseNoaman Aziz
In this book I am not gonna teach you Basics of SQL injection, I will assume that you already know them, because cmon every one talks about it, you will find tons and tons of posts on forums related to basics of SQL Injection, In this post I will talk about common methods of used by hackers and pentesters for evading IDS, IPS, WAF's such as Modsecurity, dotdefender etc .
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
Microsoft's web browsers, Internet Explorer and Edge, have a feature called 'XSS filter' built in which protects users from XSS attacks. In order to deny XSS attacks, XSS filter looks into the request for a string resembling an XSS attack, compares it with the page and finds the appearance of it, and rewrites parts of the string if it appears in the page. This rewriting process of the string - is this done safely? The answer is no. This time, I have found a way to exploit XSS filter not to protect a web page, but to create an XSS vulnerability on a web page that is completely sane and free of XSS vulnerability. In this talk, I will describe technical details about possibilities of XSS attacks exploiting XSS filter and propose what website administrators should do to face this XSS filter nightmare.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
This slide deck consists of three presentations showing both an overall and detailed view of the new patent pending methods to make Cross-Site Scripting (XSS) detection more accurate and faster as well as the creation of dynamic exploits. It was presented at OWASP AppSecUSA 2015. All Material and Methods Patent Pending Globally. All Rights Reserved.
Please visit: http://xssWarrior.com
Web Application Firewalls Detection, Bypassing And ExploitationSandro Gauci
A presentation and demonstration of issues that apply to Web application firewalls. Talks about how easy it is to fingerprint some web application firewalls, how bypassing them is possible. Finally it talks about how they can be used against your organization if they get compromised.
Most of the money thrown at securing information systems misses the weak spots. Huge amounts are spent securing infrastructure while web applications are left exposed. It is a crisis that is largely ignored.
Software development teams, under pressure to deliver features and meet deadlines, often respond to concerns about the security of their web applications by commissioning a last-minute security assessment and then desperately attempt to address only the most glaring findings. They may even simply throw up a web application firewall to mitigate the threats. Such bolted-on solutions are not long-term answers to web application security.
Instead, we advocate a built-in approach. We will show that by weaving security into the software development life cycle, and using mature resources for security coding standards, toolkits and frameworks such as those from OWASP, development teams can consistently produce secure systems without dramatically increasing the development effort or cost.
This slide deck was most recently presented at a SPIN meeting in Cape Town In September 2012 by Paul and Theo from ThinkSmart (www.thinksmart.co.za).
For more information, contact Paul at ThinkSmart (dot see oh dot zed ay).
Tips and Tricks for Building Secure Mobile AppsTechWell
Mobile application development is now a mission-critical component of IT organizations and a big part of software industry’s landscape. Due to the security threats associated with mobile devices, it is critical we build our apps—from the ground up—to be secure and trustworthy. However, many application developers and testers do not understand how to build and test secure mobile applications. Jeffery Payne discusses the risks associated with mobile platforms/applications and describes proven practices for ensuring the safety of your mobile applications. Jeffery delves into the unique nuances of mobile platforms and how these differences impact the security approach when you are developing and testing mobile applications. Topics include session management, data encryption, securing legacy code, and platform security models. Learn what to watch out for when you start developing your next mobile app and take away tips and tricks for effectively securing and testing existing apps.
Journey to the Cloud: Securing Your AWS Applications - April 2015Alert Logic
James Brown, Director of Cloud Computing & Security Architecture, Alert Logic covers:
• The shared security model: what security you are responsible for to protect your content, applications, systems and networks vs AWS.
• Overview of the OWASP Top 10 most critical web application security risks (such as SQL injections)
• Best practices for how to protect your environment from the latest threats
Mike Spaulding - Building an Application Security Programcentralohioissa
Application Security in many organizations is a simply a 'wish list' item, but with some staff and some training, AppSec can be a reality, even for a small organization. This talk will discuss the best practices, strategies and tactics, and resource planning to build an internal AppSec function - enterprise to 'mom & pop' operations will all benefit from this talk.
On April 2nd, ASI held its first invitation-only CIO Summit — on Data Security in a Mobile World in downtown Washington, DC, exclusively for not-for-profit CIOs. The event brought together the best and brightest minds from the association, non-profit, and business communities to address the current data security threats they're facing, particularly in this increasingly mobile world.
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...IBM Security
Traditional endpoint protection solutions have become the punching bag of security. And for good reason. Traditional solutions, including blacklisting and signature-based antivirus, have not kept pace in combating advanced threats and zero-day attacks. Organizations are left defenseless.
A new approach is needed that understands the lifecycle of today’s advanced attacks, providing capabilities to assess devices, prevent attacks, detect compromise, investigate the incident and finally remediate the environment.
View the full on-demand webcast: https://www.youtube.com/watch?v=Xyw-SV9v9dg
Auckland (ISC)2 Chapter - Building the ‘Bob Semple Cyber Tank'Chris Hails
New Zealand is a country of small businesses. 97% of enterprises – almost half a million according to MBIE data - have fewer than 20 employees but contribute more than a quarter of the country’s GDP.
Almost a quarter of New Zealand small businesses have been hit by cyber crime according to Symantec’s latest SMB Cyber Security Survey with the average financial loss sitting at $16,000.
Many of these small businesses will be operating on the proverbial “smell of an oily rag” with cyber security far down the list of priorities for owners focused on keeping the lights on and the cash flowing.
It’s in this environment that many small businesses will find themselves operating below the ‘security poverty line’, the point below which a company cannot effectively protect itself from cyber security threats.
Many small companies believe that IT security is too expensive and that they lack the knowledge on how to combat common cyber threats. At the October (ISC)2 Auckland Chapter event, 25 individuals took part in group exercises designed to identify pragmatic security investments that offer the ‘most bang for the buck’.
If New Zealand business owners are seeking pragmatic and cost effective guidance focused on protecting their digital assets, they could review the outcomes of this (ISC)2 Auckland Chapter session for practical guidance. We suggest a customised scalable solution for tackling common cyber security threats like ransomware, intellectual property theft (internal and external), Business Email Compromise, phishing and malware infections.
This course provides an introduction to security for mobile applications. It walks through a basic threat model for a mobile application. This threat model is then used as a framework for making good decisions about designing and building applications as well as for testing the security of existing applications. Examples are provided for both iOS (iPhone and iPad) and Android platforms and sample code is provided to demonstrate mobile security assessment techniques.
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
Security professionals have years of experience logging and tracking network security events to identify unauthorized or malicious activity on a corporate network. Unfortunately, many of today's attacks are focused on the application layer, where the fidelity of logging for security events is less robust. Most application logs are typically used to see errors and failures and the internal state of the system, not events that might be interesting from a security perspective. Security practitioners are concerned with understanding patterns of user behavior and, in the event of an attack, being able to see an entire user’s session. How are application events different from network events? What type of information should security practitioners ensure software developers log for event analysis? What are the types of technologies that enable application-level logging and analysis? In this presentation, John Dickson will discuss what should be present in application logs to help understand threats and attacks, and better guard against them.
Keynote on why you should make Infosec a board level strategic item, how you should raise it to this level and how to approach Information Security strategically
Some of the most famous information breaches over the past few years have been a result of entry through embedded and IoT system environments. Often these breaches are a result of unexpected system architecture and service connectivity on the network that allows the hacker to enter through an embedded device and make their way to the financial or corporate servers. Experts in embedded security discuss key security issues for embedded systems and how to address them.
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Orkestra
UIIN Conference, Madrid, 27-29 May 2024
James Wilson, Orkestra and Deusto Business School
Emily Wise, Lund University
Madeline Smith, The Glasgow School of Art
This presentation by Morris Kleiner (University of Minnesota), was made during the discussion “Competition and Regulation in Professions and Occupations” held at the Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found out at oe.cd/crps.
This presentation was uploaded with the author’s consent.
0x01 - Newton's Third Law: Static vs. Dynamic AbusersOWASP Beja
f you offer a service on the web, odds are that someone will abuse it. Be it an API, a SaaS, a PaaS, or even a static website, someone somewhere will try to figure out a way to use it to their own needs. In this talk we'll compare measures that are effective against static attackers and how to battle a dynamic attacker who adapts to your counter-measures.
About the Speaker
===============
Diogo Sousa, Engineering Manager @ Canonical
An opinionated individual with an interest in cryptography and its intersection with secure software development.
Have you ever wondered how search works while visiting an e-commerce site, internal website, or searching through other types of online resources? Look no further than this informative session on the ways that taxonomies help end-users navigate the internet! Hear from taxonomists and other information professionals who have first-hand experience creating and working with taxonomies that aid in navigation, search, and discovery across a range of disciplines.
This presentation, created by Syed Faiz ul Hassan, explores the profound influence of media on public perception and behavior. It delves into the evolution of media from oral traditions to modern digital and social media platforms. Key topics include the role of media in information propagation, socialization, crisis awareness, globalization, and education. The presentation also examines media influence through agenda setting, propaganda, and manipulative techniques used by advertisers and marketers. Furthermore, it highlights the impact of surveillance enabled by media technologies on personal behavior and preferences. Through this comprehensive overview, the presentation aims to shed light on how media shapes collective consciousness and public opinion.
Acorn Recovery: Restore IT infra within minutesIP ServerOne
Introducing Acorn Recovery as a Service, a simple, fast, and secure managed disaster recovery (DRaaS) by IP ServerOne. A DR solution that helps restore your IT infra within minutes.
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Web Application Firewall - Web Application & Web Services Security integrated in Global Application Offering
1. Web Application & Web Services Security integrated in Global Application Offering
- Problems? No, no problems at all. - Yes. We're using WAF too.
3.11.2011 Thomas Malmberg
2. 11.9.2014
(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]
2
Agenda
•Security and its many faces
•Drivers and issues for choosing an application firewall
•Minutes to learn, a lifetime to master
”Questions may be asked at any given time”
Web Application & Web Services Security integrated in Global Application Offering
3. 11.9.2014
(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]
3
Security and its many faces
•Security has to be applied on many levels in an organization
–Processes
–User management
–Firewalls
–Keycards
–Doors
–SSL
–Penetration testing
–Training
–...
•Can security be enforced by applying Magnum Force?
4. 11.9.2014
(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]
4
Security and its many faces
•Carrot and stick – approach
–Give some and get some
–Design and enforce policies, not "magnum force"
–Involve the right people – You need to "sell your agenda"
–Make sure you "enable business" (but what does that really mean?)
–In certain cases, deploying a new technology is the right solution
5. 11.9.2014
(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]
5
Drivers and issues for choosing an application firewall
..but wait - let's recap what REALLY happened
(or what should have happened)
The Stick
PCI-DSS
The Carrot
Cut costs on expensive application re-testing and re-coding and re- inventing and re- everything
6. 11.9.2014
(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]
6
Drivers and issues for choosing an application firewall
•PCI-DSS was "the drop that spilled the cup"
•Before PCI-DSS we had at least this:
–National Legislation
–Financial Supervisory Authority Directives
–EU Legislation & Directives
–Finanssivalvonta, Finansinspektionen
–Common Sense
•Then we woke up and realized that...
–Security had many faces
–Security cannot be bought (but neat firewalls can!)
–Security is a mindset
–Security is a way of life
Financial Supervisory Authority:
• Finanssivalvonta (FI)
• Finansinspektionen (SE)
7. 11.9.2014
(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]
7
Drivers and issues for choosing an application firewall
•Today we understand that
–Credit-card numbers are not everything
–There are a lot of different input sources to definitive compliancy
–It is not wise to pursue different directives or legislations separately
–Everything we do in this field increases the overall security
8. 11.9.2014
(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]
8
Drivers and issues for choosing an application firewall
9. 11.9.2014
(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]
9
Case HBGary
•HBGary and HBGary Federal position themselves as experts in computer security. The companies offer both software and services to both the public and private sectors.
•HBGary Federal CEO Aaron Barr thought he had unmasked the hacker hordes of Anonymous and was preparing to name and shame those responsible for co-ordinating the group's actions, including the denial-of-service attacks that hit MasterCard, Visa, and other perceived enemies of WikiLeaks late last year
•Anonymous is a diverse bunch: though they tend to be younger rather than older, their age group spans decades. Some may still be in school, but many others are gainfully employed office-workers, software developers, or IT support technicians, among other things.
•Source: http://arstechnica.com/tech- policy/news/2011/02/anonymous-speaks-the-inside- story-of-the-hbgary-hack.ars/
10. 11.9.2014
(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]
10
Case HBGary
1.The CMS-system had an SQL-injection vulnerability
2.Usernames were stolen from the user-database
3.Passwords were hashed using simple MD5 w/o salting
4.Passwords were weak
5.Same passwords were used for public SSH- access
6.The SSH-server was not patched, root access could be gained
7.Same passwords were used for email accounts, Google apps and for gmail-administrators
8.Using admin-rights, many email accounts were scavenged for information
9.Emailing was used for social engineering to gain even more access to other sites
11. 11.9.2014
(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]
11
Drivers and issues for choosing an application firewall
12. 11.9.2014
(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]
12
Drivers and issues for choosing an application firewall
•An application firewall (WAF) would not make us PCI-DSS compliant
•It would only partially answer one of the requirements set by the PCI- council
•BUT - depending on the product we choose we could
–increase the overall security level of all of our public internet services
–accelerate our websites
–apply quick fixes to 0-day vulnerabilities when we most need it
–safely deploy applications with known issues to the public while investigating the root cause
–possibly protect our web-services
”0-day vulnerabilities must be fixed IMMEDIATELY.”
13. 11.9.2014
(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]
13
Minutes to learn, a lifetime to master
•A few do's and don't along the way
–Don't expect the application firewall to be a generic solution to issues in your software development
–Don't ditch external security audits
–Don't expect everything to be up and running smoothly day 1
–Don't expect that the application firewall never requires attention
–Make sure you have a process to monitor discrepancies and (major) changes in your traffic profile
14. 11.9.2014
(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]
14
Minutes to learn, a lifetime to master
•A few do's and don't along the way
–It does add security where you need it the most
–It does fix issues with your applications programmers can't (at least not fast enough)
–It gives you a good idea of what is going on with your applications
15. 11.9.2014
(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]
15
Minutes to learn, a lifetime to master
•Plan the implementation beforehand
•Inform your stakeholders about possible issues when rolling out
•Treat the application firewall rollout as any major software update in your system
•Don't try to solve everything at once – Think big, start small
”A WAF-project is like any other IT-project – it fails of not conducted properly”
16. Thank You! Kiitos! Tack!
Questions?
Kysymyksiä?
Frågor?
Hopefully at least a few...
Contact:
thomas.malmberg@aktia.fi
http://fi.linkedin.com/in/thomasmalmberg