SlideShare a Scribd company logo

Web application security measures

Download as PPTX, PDF
ICT Frame Magazine Pvt. Ltd.
ICT Frame Magazine Pvt. Ltd.

Webinar on “Preventive Measures of Websites in Nepal – Case Study of Libraries” organize by Tribhuvan Univeristy Central Department of Library and Information Science in partnership with Cyber Security Research and Innovation.

Technology
1 of 20
Why Use Threat Model For Applications  Deliver the scalability needed in large enterprise environments  Reduce the involvement of subject matter experts  Make the application threat modeling process less time consuming and tedious to implement  Provide a meaningful output, or allow for real-time collaboration between stakeholders
CYBER SECURITY
Made For Security Chiranjibi Adhikari President at npCert (Information Security Response Team Nepal) Immediate Past President at Center For Cyber Security Research and Innovation (CSRI) Executive Director at OneCover Pvt. Ltd. Founder of ICT Frame Magazine Secretary at CAN Federation Member at OWASP Member at ISACA
Recommended Security Test For National Library Portal observe Thoroughly  Injection Flaws  Cross site Scripting  Insecure Direct Object references  Open URL redirects  Cross Site Request Forgery  Command Injection  Broken Authentication,  Security Misconfiguration, Sensitive Data Exposure  API Testing
Application Security
 Deliver the scalability needed in large enterprise environments  Reduce the involvement of subject matter experts  Make the application threat modeling process less time consuming and tedious to implement  Provide a meaningful output, or allow for real-time collaboration between stakeholders Application Threat Modeling
Open Source Tool
Microsoft Threat Modeling
Cybersecurity best practices for businesses that every employee should know and follow  DO NOT OPEN ANY LINKS OR DOWNLOAD ANY ATTACHMENTS  DO NOT CLICK ON POP-UPS  DO NOT DISABLE FIREWALL  ENABLE MULTI FACTOR AUTHENTICATION (MFA)
Cybersecurity best practices for businesses that every employee should know and follow  UPDATE to the latest security patches for your desktop  Use Enterprise Virtual Private Network  LOCK your devices before you leave your devices unsupervised  Enforce Communication with the USE of End-to-end (E2E)  INCREASE PASSWORD COMPLEXITY  Beware about SHOULDER SURFING as others might be able to see/listen to some sensitive and confidential information.
Best security practices that every business should follow  Review your Business Continuity Planning (BCP) and Procedures.  Update your Organization’s Infrastructures  Use of Multi-Factor Authentication  Strictly Monitor user access and user roles:  Define access right for your Infrastructure
Best security practices that every business should follow  Reduce timeout for employees accessing organization resources remotely  Backup and store data securely  Ensure physical security measures are taken by employees
Incident Response Plan during Work From Home  Make a list of critical infrastructures that need addressing.  Prioritize the infrastructures accordingly.  Maintain a detail overview of organizations network architecture.  Assign the incident lead task to a relevant person who will communicate with the team.  Train all staff to distinguish fake emails from the real ones and immediately report the suspicious emails or attachments.
Work From Home Cybersecurity Basics: Incident Response Planning  Make a complete backup of the system so that they can be restored in a timely manner in case of incident. Checklists: 1. Who is responsible to react to the incident at first and take a lead on it? 2. Who is responsible for each process of the Incidence Response? 3. If the team needs third party expertise. How will be communication handled? 4. How is legal part of the incident handled?
Do's and Don'ts of Effective Incident Response Procedure 1) First of all, don’t panic. 2) Don’t shut down any infected systems as it might delete the juicy data which is very important when performing forensics investigation. 3) Don’t use any non-forensic tools as they can overwrite the timeline associated with the attack. 4) Collect logs from different areas. For windows collect application/security/system logs from event viewer For Linux collect /var/log/* 5) Don’t wipe any non-important files/data.
Defense in Depth Planning Physical control: Technical control Administrative control
Technical control  Firewall  Intrusion prevention system for Network and host devices.  Advanced anti-malware  Anti-spam and anti-phishing at the Web and messaging gateways  Web reputation  Application control  Content filtering  Vulnerability shielding  Mobile app reputation  Effective cyber security awareness training for all employees
Steps To Take After a Data Breach
Steps To Take After a Data Breach 1) Notify immediately: 2) Notify what information has been breached 3) Request for Modification
Steps To Take After a Data Breach 4) Investigating the incident 5) Find & Mitigating Vulnerabilities 6) Protection against Future Incidents <Thank You>

Recommended

Protecting Windows Networks From Malware
Protecting Windows Networks From MalwareProtecting Windows Networks From Malware
Protecting Windows Networks From Malware
Rishu Mehra
 
Cisco amp everywhere
Cisco amp everywhereCisco amp everywhere
Cisco amp everywhere
Cisco Canada
 
What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...
Alisha Henderson
 
Hackers (Not) Halted
Hackers (Not) Halted Hackers (Not) Halted
Hackers (Not) Halted
Microsoft TechNet - Belgium and Luxembourg
 
New Developments in Cybersecurity and Technology for RDOs: Howland
New Developments in Cybersecurity and Technology for RDOs: HowlandNew Developments in Cybersecurity and Technology for RDOs: Howland
New Developments in Cybersecurity and Technology for RDOs: Howland
nado-web
 
How to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMHow to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USM
AlienVault
 
NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...
NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...
NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...
North Texas Chapter of the ISSA
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworks
AlienVault
 

Recommended

Protecting Windows Networks From Malware
Protecting Windows Networks From MalwareProtecting Windows Networks From Malware
Protecting Windows Networks From Malware
Rishu Mehra
 
Cisco amp everywhere
Cisco amp everywhereCisco amp everywhere
Cisco amp everywhere
Cisco Canada
 
What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...
Alisha Henderson
 
Hackers (Not) Halted
Hackers (Not) Halted Hackers (Not) Halted
Hackers (Not) Halted
Microsoft TechNet - Belgium and Luxembourg
 
New Developments in Cybersecurity and Technology for RDOs: Howland
New Developments in Cybersecurity and Technology for RDOs: HowlandNew Developments in Cybersecurity and Technology for RDOs: Howland
New Developments in Cybersecurity and Technology for RDOs: Howland
nado-web
 
How to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMHow to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USM
AlienVault
 
NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...
NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...
NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...
North Texas Chapter of the ISSA
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworks
AlienVault
 
Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and Compliance
Qualys
 
OSB130 Patch Management Best Practices
OSB130 Patch Management Best PracticesOSB130 Patch Management Best Practices
OSB130 Patch Management Best Practices
Ivanti
 
Avoid Meltdown from the Spectre - How to measure impact and track remediation
Avoid Meltdown from the Spectre - How to measure impact and track remediationAvoid Meltdown from the Spectre - How to measure impact and track remediation
Avoid Meltdown from the Spectre - How to measure impact and track remediation
Qualys
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
AlienVault
 
Cisco amp for endpoints
Cisco amp for endpointsCisco amp for endpoints
Cisco amp for endpoints
Cisco Canada
 
Web App Attacks - Stats & Remediation
Web App Attacks - Stats & RemediationWeb App Attacks - Stats & Remediation
Web App Attacks - Stats & Remediation
Qualys
 
Security testing vikesh kumar
Security testing vikesh kumarSecurity testing vikesh kumar
Security testing vikesh kumar
Vikesh Kumar
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
AlienVault
 
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud SecurityGet Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
Symantec
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usm
AlienVault
 
Network Security for Employees
Network Security for Employees Network Security for Employees
Network Security for Employees
OPSWAT
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
Marco Morana
 
Five Reasons to Look Beyond Math-based Next-Gen Antivirus
Five Reasons to Look Beyond Math-based Next-Gen AntivirusFive Reasons to Look Beyond Math-based Next-Gen Antivirus
Five Reasons to Look Beyond Math-based Next-Gen Antivirus
Sarah Vanier
 
Six Steps to SIEM Success
Six Steps to SIEM SuccessSix Steps to SIEM Success
Six Steps to SIEM Success
AlienVault
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
AlienVault
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Lancope, Inc.
 
7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources
LogRhythm
 
Proatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsProatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security Teams
FireEye, Inc.
 
Security Whack-a-Mole: SANS 2017 Threat Landscape Survey
Security Whack-a-Mole: SANS 2017 Threat Landscape SurveySecurity Whack-a-Mole: SANS 2017 Threat Landscape Survey
Security Whack-a-Mole: SANS 2017 Threat Landscape Survey
Qualys
 
Tackle Unknown Threats with Symantec Endpoint Protection 14 Machine Learning
Tackle Unknown Threats with Symantec Endpoint Protection 14 Machine LearningTackle Unknown Threats with Symantec Endpoint Protection 14 Machine Learning
Tackle Unknown Threats with Symantec Endpoint Protection 14 Machine Learning
Symantec
 
Protecting Windows Networks From Malware 31 Jan09
Protecting Windows Networks From Malware 31 Jan09Protecting Windows Networks From Malware 31 Jan09
Protecting Windows Networks From Malware 31 Jan09
technext1
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
wkyra78
 

More Related Content

What's hot

Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and Compliance
Qualys
 
Avoid Meltdown from the Spectre - How to measure impact and track remediation
Avoid Meltdown from the Spectre - How to measure impact and track remediationAvoid Meltdown from the Spectre - How to measure impact and track remediation
Avoid Meltdown from the Spectre - How to measure impact and track remediation
Qualys
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
AlienVault
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
AlienVault
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
Marco Morana
 
Security Whack-a-Mole: SANS 2017 Threat Landscape Survey
Security Whack-a-Mole: SANS 2017 Threat Landscape SurveySecurity Whack-a-Mole: SANS 2017 Threat Landscape Survey
Security Whack-a-Mole: SANS 2017 Threat Landscape Survey
Qualys
 

What's hot (20)

Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and Compliance
 
OSB130 Patch Management Best Practices
OSB130 Patch Management Best PracticesOSB130 Patch Management Best Practices
OSB130 Patch Management Best Practices
 
Avoid Meltdown from the Spectre - How to measure impact and track remediation
Avoid Meltdown from the Spectre - How to measure impact and track remediationAvoid Meltdown from the Spectre - How to measure impact and track remediation
Avoid Meltdown from the Spectre - How to measure impact and track remediation
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
 
Cisco amp for endpoints
Cisco amp for endpointsCisco amp for endpoints
Cisco amp for endpoints
 
Web App Attacks - Stats & Remediation
Web App Attacks - Stats & RemediationWeb App Attacks - Stats & Remediation
Web App Attacks - Stats & Remediation
 
Security testing vikesh kumar
Security testing vikesh kumarSecurity testing vikesh kumar
Security testing vikesh kumar
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
 
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud SecurityGet Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usm
 
Network Security for Employees
Network Security for Employees Network Security for Employees
Network Security for Employees
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
 
Five Reasons to Look Beyond Math-based Next-Gen Antivirus
Five Reasons to Look Beyond Math-based Next-Gen AntivirusFive Reasons to Look Beyond Math-based Next-Gen Antivirus
Five Reasons to Look Beyond Math-based Next-Gen Antivirus
 
Six Steps to SIEM Success
Six Steps to SIEM SuccessSix Steps to SIEM Success
Six Steps to SIEM Success
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
 
7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources
 
Proatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsProatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security Teams
 
Security Whack-a-Mole: SANS 2017 Threat Landscape Survey
Security Whack-a-Mole: SANS 2017 Threat Landscape SurveySecurity Whack-a-Mole: SANS 2017 Threat Landscape Survey
Security Whack-a-Mole: SANS 2017 Threat Landscape Survey
 
Tackle Unknown Threats with Symantec Endpoint Protection 14 Machine Learning
Tackle Unknown Threats with Symantec Endpoint Protection 14 Machine LearningTackle Unknown Threats with Symantec Endpoint Protection 14 Machine Learning
Tackle Unknown Threats with Symantec Endpoint Protection 14 Machine Learning
 

Similar to Web application security measures

Protecting Windows Networks From Malware 31 Jan09
Protecting Windows Networks From Malware 31 Jan09Protecting Windows Networks From Malware 31 Jan09
Protecting Windows Networks From Malware 31 Jan09
technext1
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
wkyra78
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
Infocyte
 
Student NameCYB110Playbook Runbook Parts 1-3S.docx
Student NameCYB110Playbook Runbook Parts 1-3S.docxStudent NameCYB110Playbook Runbook Parts 1-3S.docx
Student NameCYB110Playbook Runbook Parts 1-3S.docx
deanmtaylor1545
 
SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4
Rodrigo Piovesana
 
Security Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA EnvironmentsSecurity Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA Environments
amiable_indian
 
Running Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docx
Running Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docxRunning Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docx
Running Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docx
jeanettehully
 
Running Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docx
Running Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docxRunning Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docx
Running Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docx
todd521
 

Similar to Web application security measures (20)

Protecting Windows Networks From Malware 31 Jan09
Protecting Windows Networks From Malware 31 Jan09Protecting Windows Networks From Malware 31 Jan09
Protecting Windows Networks From Malware 31 Jan09
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
 
chapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crimechapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crime
 
Application security
Application securityApplication security
Application security
 
smpef
smpefsmpef
smpef
 
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SCCyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
 
Information Security Seminar
Information Security SeminarInformation Security Seminar
Information Security Seminar
 
Student NameCYB110Playbook Runbook Parts 1-3S.docx
Student NameCYB110Playbook Runbook Parts 1-3S.docxStudent NameCYB110Playbook Runbook Parts 1-3S.docx
Student NameCYB110Playbook Runbook Parts 1-3S.docx
 
SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4
 
Security Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA EnvironmentsSecurity Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA Environments
 
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUEScompTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
 
OpenText Cyber Resilience Fastrak
OpenText Cyber Resilience FastrakOpenText Cyber Resilience Fastrak
OpenText Cyber Resilience Fastrak
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project
 
Building an AppSec Culture
Building an AppSec Culture Building an AppSec Culture
Building an AppSec Culture
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdf
 
Automating Event Driven Security in the AWS Cloud
Automating Event Driven Security in the AWS CloudAutomating Event Driven Security in the AWS Cloud
Automating Event Driven Security in the AWS Cloud
 
Running Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docx
Running Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docxRunning Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docx
Running Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docx
 
Running Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docx
Running Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docxRunning Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docx
Running Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docx
 
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
 

More from ICT Frame Magazine Pvt. Ltd.

More from ICT Frame Magazine Pvt. Ltd. (14)

InfoDevelopers TechTalk Series
InfoDevelopers TechTalk SeriesInfoDevelopers TechTalk Series
InfoDevelopers TechTalk Series
 
Cyber security awareness presentation nepal
Cyber security awareness presentation nepalCyber security awareness presentation nepal
Cyber security awareness presentation nepal
 
Analysis of card management and associated operational risk in banks of Nepal
Analysis of card management and associated operational risk in banks of NepalAnalysis of card management and associated operational risk in banks of Nepal
Analysis of card management and associated operational risk in banks of Nepal
 
Possibilities of e-learning in Nepal
Possibilities of e-learning in NepalPossibilities of e-learning in Nepal
Possibilities of e-learning in Nepal
 
Risk Based Approach In cyber Security In Nepal
Risk Based Approach In cyber Security In NepalRisk Based Approach In cyber Security In Nepal
Risk Based Approach In cyber Security In Nepal
 
Cyber Security Challenges in Developing Countries with Reference to Legislat...
Cyber Security Challenges in Developing Countries with Reference to Legislat... Cyber Security Challenges in Developing Countries with Reference to Legislat...
Cyber Security Challenges in Developing Countries with Reference to Legislat...
 
Nepal internet governance forum 2018 report
Nepal internet governance forum 2018 reportNepal internet governance forum 2018 report
Nepal internet governance forum 2018 report
 
Nepal Rastra Bank Information Technology Guidelines
Nepal Rastra Bank Information Technology GuidelinesNepal Rastra Bank Information Technology Guidelines
Nepal Rastra Bank Information Technology Guidelines
 
IT Directives For Insurance Company, 2076
IT Directives For Insurance Company, 2076IT Directives For Insurance Company, 2076
IT Directives For Insurance Company, 2076
 
IGF 2020 NRIs Virtual Meeting II
IGF 2020 NRIs Virtual Meeting IIIGF 2020 NRIs Virtual Meeting II
IGF 2020 NRIs Virtual Meeting II
 
Cyber Security Practices and Future Plan: Real Scenario in ISPs In Nepal
Cyber Security Practices and Future Plan: Real Scenario in ISPs In NepalCyber Security Practices and Future Plan: Real Scenario in ISPs In Nepal
Cyber Security Practices and Future Plan: Real Scenario in ISPs In Nepal
 
Cyber Crime In Nepal: Threats And Minimize The Cyber Security Issues
Cyber Crime In Nepal: Threats And Minimize The Cyber Security IssuesCyber Crime In Nepal: Threats And Minimize The Cyber Security Issues
Cyber Crime In Nepal: Threats And Minimize The Cyber Security Issues
 
Workshop Proposal APRIGF 2020 (Advocate Baburam Aryal)
Workshop Proposal APRIGF 2020 (Advocate Baburam Aryal)Workshop Proposal APRIGF 2020 (Advocate Baburam Aryal)
Workshop Proposal APRIGF 2020 (Advocate Baburam Aryal)
 
ICT MAGAZINE NEPAL (ICTFRAME.COM)
ICT MAGAZINE NEPAL (ICTFRAME.COM)ICT MAGAZINE NEPAL (ICTFRAME.COM)
ICT MAGAZINE NEPAL (ICTFRAME.COM)
 

Recently uploaded

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Ransomware Mallox [EN].pdf
Ransomware Mallox [EN].pdfRansomware Mallox [EN].pdf
Ransomware Mallox [EN].pdf
Overkill Security
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Peter Udo Diehl
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
UiPathCommunity
 
UiPath New York Community Day in-person event
UiPath New York Community Day in-person eventUiPath New York Community Day in-person event
UiPath New York Community Day in-person event
DianaGray10
 

Recently uploaded (20)

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Ransomware Mallox [EN].pdf
Ransomware Mallox [EN].pdfRansomware Mallox [EN].pdf
Ransomware Mallox [EN].pdf
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...
КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...
КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
UiPath New York Community Day in-person event
UiPath New York Community Day in-person eventUiPath New York Community Day in-person event
UiPath New York Community Day in-person event
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 

Web application security measures

  • 1. Why Use Threat Model For Applications  Deliver the scalability needed in large enterprise environments  Reduce the involvement of subject matter experts  Make the application threat modeling process less time consuming and tedious to implement  Provide a meaningful output, or allow for real-time collaboration between stakeholders
  • 3. Made For Security Chiranjibi Adhikari President at npCert (Information Security Response Team Nepal) Immediate Past President at Center For Cyber Security Research and Innovation (CSRI) Executive Director at OneCover Pvt. Ltd. Founder of ICT Frame Magazine Secretary at CAN Federation Member at OWASP Member at ISACA
  • 4. Recommended Security Test For National Library Portal observe Thoroughly  Injection Flaws  Cross site Scripting  Insecure Direct Object references  Open URL redirects  Cross Site Request Forgery  Command Injection  Broken Authentication,  Security Misconfiguration, Sensitive Data Exposure  API Testing
  • 6.  Deliver the scalability needed in large enterprise environments  Reduce the involvement of subject matter experts  Make the application threat modeling process less time consuming and tedious to implement  Provide a meaningful output, or allow for real-time collaboration between stakeholders Application Threat Modeling
  • 9. Cybersecurity best practices for businesses that every employee should know and follow  DO NOT OPEN ANY LINKS OR DOWNLOAD ANY ATTACHMENTS  DO NOT CLICK ON POP-UPS  DO NOT DISABLE FIREWALL  ENABLE MULTI FACTOR AUTHENTICATION (MFA)
  • 10. Cybersecurity best practices for businesses that every employee should know and follow  UPDATE to the latest security patches for your desktop  Use Enterprise Virtual Private Network  LOCK your devices before you leave your devices unsupervised  Enforce Communication with the USE of End-to-end (E2E)  INCREASE PASSWORD COMPLEXITY  Beware about SHOULDER SURFING as others might be able to see/listen to some sensitive and confidential information.
  • 11. Best security practices that every business should follow  Review your Business Continuity Planning (BCP) and Procedures.  Update your Organization’s Infrastructures  Use of Multi-Factor Authentication  Strictly Monitor user access and user roles:  Define access right for your Infrastructure
  • 12. Best security practices that every business should follow  Reduce timeout for employees accessing organization resources remotely  Backup and store data securely  Ensure physical security measures are taken by employees
  • 13. Incident Response Plan during Work From Home  Make a list of critical infrastructures that need addressing.  Prioritize the infrastructures accordingly.  Maintain a detail overview of organizations network architecture.  Assign the incident lead task to a relevant person who will communicate with the team.  Train all staff to distinguish fake emails from the real ones and immediately report the suspicious emails or attachments.
  • 14. Work From Home Cybersecurity Basics: Incident Response Planning  Make a complete backup of the system so that they can be restored in a timely manner in case of incident. Checklists: 1. Who is responsible to react to the incident at first and take a lead on it? 2. Who is responsible for each process of the Incidence Response? 3. If the team needs third party expertise. How will be communication handled? 4. How is legal part of the incident handled?
  • 15. Do's and Don'ts of Effective Incident Response Procedure 1) First of all, don’t panic. 2) Don’t shut down any infected systems as it might delete the juicy data which is very important when performing forensics investigation. 3) Don’t use any non-forensic tools as they can overwrite the timeline associated with the attack. 4) Collect logs from different areas. For windows collect application/security/system logs from event viewer For Linux collect /var/log/* 5) Don’t wipe any non-important files/data.
  • 16. Defense in Depth Planning Physical control: Technical control Administrative control
  • 17. Technical control  Firewall  Intrusion prevention system for Network and host devices.  Advanced anti-malware  Anti-spam and anti-phishing at the Web and messaging gateways  Web reputation  Application control  Content filtering  Vulnerability shielding  Mobile app reputation  Effective cyber security awareness training for all employees
  • 18. Steps To Take After a Data Breach
  • 19. Steps To Take After a Data Breach 1) Notify immediately: 2) Notify what information has been breached 3) Request for Modification
  • 20. Steps To Take After a Data Breach 4) Investigating the incident 5) Find & Mitigating Vulnerabilities 6) Protection against Future Incidents <Thank You>

Editor's Notes

  1. C