The Presentation is about the Basic Introduction to Cybersecurity that talks about introduction and what is security means. Also the presentation talks about CIA Triad i.e confidentiality, integrity and availability
How to scale threat modelling activities across many applications and large development teams using templates and risk patterns.
Introducing IriusRisk Community edition
Presentation given at O'Reilly Security Amsterdam 2016
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
Application Security Architecture and Threat ModellingPriyanka Aash
95% of attacks are against “Web Servers and Web Applications”
Security Architecture and SDLC
3 Tier – Web App Architecture
Would you trust the code?
Traditional SDLC
Secure SDLC
SAST vs. DAST
This presentation is part of one of talk, I gave in Microsoft .NET Bootcamp. The contents are slightly edited to share the information in public domain. In this presentation, I covered the significance and all related theory of Threat modeling and analysis.This presentation will be useful for software architects/Managers,developers and QAs. Do share your feedback in comments.
The Presentation is about the Basic Introduction to Cybersecurity that talks about introduction and what is security means. Also the presentation talks about CIA Triad i.e confidentiality, integrity and availability
How to scale threat modelling activities across many applications and large development teams using templates and risk patterns.
Introducing IriusRisk Community edition
Presentation given at O'Reilly Security Amsterdam 2016
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
Application Security Architecture and Threat ModellingPriyanka Aash
95% of attacks are against “Web Servers and Web Applications”
Security Architecture and SDLC
3 Tier – Web App Architecture
Would you trust the code?
Traditional SDLC
Secure SDLC
SAST vs. DAST
This presentation is part of one of talk, I gave in Microsoft .NET Bootcamp. The contents are slightly edited to share the information in public domain. In this presentation, I covered the significance and all related theory of Threat modeling and analysis.This presentation will be useful for software architects/Managers,developers and QAs. Do share your feedback in comments.
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
This talk is about different attacker persistence techniques that we have seen in the wild, or published by other companies. We wanted to create a massive document containing all of these techniques with a mile wide, inch deep approach. Our goal is to give a description of how each technique works and a way to detect them to allow anyone to start looking for these specific techniques.
Introduction to Web Application Penetration TestingAnurag Srivastava
Web Application Pentesting
* Process to check and penetrate the security of a web application or a website
* process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities
* Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.
Secure code review is probably the most effective technique to identify security bugs early in the system development lifecycle.
When used together with automated and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort. This presentation explain how can we start secure code review effectively.
VAPT defines the security measures that are supposed to be put in place to address cyber threats. There are plenty of strategies that can be adopted in Pen Testing which include Black Box Pen Test, White Box Pen Text, Hidden Pen Test, Internal Pen Test, and Gray Box Testing. It is mandatory that VAPT is conducted in order to deter cyber-attacks that are on the upsurge daily. These VAPT ranges from Mobile, Network Penetration Testing, and Vulnerability Assessments.
There are many merits to VAPT in your business which include early error detection in program codes which will prevent cyber attacks. Most companies lose billions of dollars due to cyber-attacks. With VAPT, it guarantees that all loopholes are tightened before an intrusion transpires.
10 Steps to Building an Effective Vulnerability Management ProgramBeyondTrust
You can tune in for the full webinar recording here: https://www.beyondtrust.com/resources/webinar/10-steps-to-building-an-effective-vulnerability-management-program/
In this presentation from the webinar by cyber security expert Derek A, Smith, hear a step-by-step overview of how to build an effective vulnerability management program. Whether your network consists of just a few connected computers or thousands of servers distributed around the world, this presentation discusses ten actionable steps you can apply whether its to bolster your existing vulnerability management program--or building one from scratch.
Planning and Deploying an Effective Vulnerability Management ProgramSasha Nunke
This presentation covers the essential components of a successful Vulnerability Management program that allows you proactively identify risk to protect your network and critical business assets.
Key take-aways:
* Integrating the 3 critical factors - people, processes & technology
* Saving time and money via automated tools
* Anticipating and overcoming common Vulnerability Management roadblocks
* Meeting security regulations and compliance requirements with Vulnerability Management
Network Security protects your network and data from breaches, intrusions and other threats. View this presentation now to understand what is network security and the types of network security.
Happy learning!!
Derek Milroy, IS Security Architect at U.S. Cellular Corporation, defined “vulnerability management” and how it affects today’s organizations during his presentation at the 2014 Chief Information Security Officer (CISO) Leadership Forum in Chicago on Nov. 19. In his presentation, “Enterprise Vulnerability Management/Security Incident Response,” Milroy noted vulnerability management has different meanings to different organizations, but an organization that utilizes vulnerability management processes can effectively safeguard its data.
According to Milroy, an organization should develop its own vulnerability management baselines to monitor its security levels. By doing so, Milroy said an organization can launch and control vulnerability management systems successfully. In addition, Milroy pointed out that vulnerability management problems occasionally will arise, but a well-prepared organization will be equipped to handle such issues: “Problems are going to happen … You have to work with your people. This can translate to any tool that you’re putting in place. Make sure your people have plans for what happens when it goes wrong, because it’s going to [happen] every single time.”
Milroy also noted that having actionable vulnerability management data is important for organizations of all sizes. If an organization evaluates its vulnerability management processes regularly, Milroy said, it can collect data and use this information to improve its security: “The simplest rule of thumb for vulnerability management, click the report, hand the report to someone. Don’t ever do that. There is no such thing as a report from a tool that you can just click and hand to someone until you first tune it and pare it down.”
- See more at: http://www.argylejournal.com/chief-information-security-officer/enterprise-vulnerability-managementsecurity-incident-response-derek-milroy-is-security-architect-u-s-cellular-corporation/#sthash.Buh6CzLS.dpuf
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEAjith Kp
A slide show on the subject web application vulnerabilities. It contains how the vulnerabilities evolves, how to detect, how to exploit and how to defense against the vulnerabilities with example.
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
This talk is about different attacker persistence techniques that we have seen in the wild, or published by other companies. We wanted to create a massive document containing all of these techniques with a mile wide, inch deep approach. Our goal is to give a description of how each technique works and a way to detect them to allow anyone to start looking for these specific techniques.
Introduction to Web Application Penetration TestingAnurag Srivastava
Web Application Pentesting
* Process to check and penetrate the security of a web application or a website
* process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities
* Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.
Secure code review is probably the most effective technique to identify security bugs early in the system development lifecycle.
When used together with automated and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort. This presentation explain how can we start secure code review effectively.
VAPT defines the security measures that are supposed to be put in place to address cyber threats. There are plenty of strategies that can be adopted in Pen Testing which include Black Box Pen Test, White Box Pen Text, Hidden Pen Test, Internal Pen Test, and Gray Box Testing. It is mandatory that VAPT is conducted in order to deter cyber-attacks that are on the upsurge daily. These VAPT ranges from Mobile, Network Penetration Testing, and Vulnerability Assessments.
There are many merits to VAPT in your business which include early error detection in program codes which will prevent cyber attacks. Most companies lose billions of dollars due to cyber-attacks. With VAPT, it guarantees that all loopholes are tightened before an intrusion transpires.
10 Steps to Building an Effective Vulnerability Management ProgramBeyondTrust
You can tune in for the full webinar recording here: https://www.beyondtrust.com/resources/webinar/10-steps-to-building-an-effective-vulnerability-management-program/
In this presentation from the webinar by cyber security expert Derek A, Smith, hear a step-by-step overview of how to build an effective vulnerability management program. Whether your network consists of just a few connected computers or thousands of servers distributed around the world, this presentation discusses ten actionable steps you can apply whether its to bolster your existing vulnerability management program--or building one from scratch.
Planning and Deploying an Effective Vulnerability Management ProgramSasha Nunke
This presentation covers the essential components of a successful Vulnerability Management program that allows you proactively identify risk to protect your network and critical business assets.
Key take-aways:
* Integrating the 3 critical factors - people, processes & technology
* Saving time and money via automated tools
* Anticipating and overcoming common Vulnerability Management roadblocks
* Meeting security regulations and compliance requirements with Vulnerability Management
Network Security protects your network and data from breaches, intrusions and other threats. View this presentation now to understand what is network security and the types of network security.
Happy learning!!
Derek Milroy, IS Security Architect at U.S. Cellular Corporation, defined “vulnerability management” and how it affects today’s organizations during his presentation at the 2014 Chief Information Security Officer (CISO) Leadership Forum in Chicago on Nov. 19. In his presentation, “Enterprise Vulnerability Management/Security Incident Response,” Milroy noted vulnerability management has different meanings to different organizations, but an organization that utilizes vulnerability management processes can effectively safeguard its data.
According to Milroy, an organization should develop its own vulnerability management baselines to monitor its security levels. By doing so, Milroy said an organization can launch and control vulnerability management systems successfully. In addition, Milroy pointed out that vulnerability management problems occasionally will arise, but a well-prepared organization will be equipped to handle such issues: “Problems are going to happen … You have to work with your people. This can translate to any tool that you’re putting in place. Make sure your people have plans for what happens when it goes wrong, because it’s going to [happen] every single time.”
Milroy also noted that having actionable vulnerability management data is important for organizations of all sizes. If an organization evaluates its vulnerability management processes regularly, Milroy said, it can collect data and use this information to improve its security: “The simplest rule of thumb for vulnerability management, click the report, hand the report to someone. Don’t ever do that. There is no such thing as a report from a tool that you can just click and hand to someone until you first tune it and pare it down.”
- See more at: http://www.argylejournal.com/chief-information-security-officer/enterprise-vulnerability-managementsecurity-incident-response-derek-milroy-is-security-architect-u-s-cellular-corporation/#sthash.Buh6CzLS.dpuf
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEAjith Kp
A slide show on the subject web application vulnerabilities. It contains how the vulnerabilities evolves, how to detect, how to exploit and how to defense against the vulnerabilities with example.
ASFWS 2012 - Le développement d’applications sécurisées avec Android par Joha...Cyber Security Alliance
Les plateformes mobiles prolifèrent et sont maintenant utilisées pour accéder à toutes sortes de données, dont certaines assez sensibles (par exemple bancaires). Les Smartphones deviennent logiquement une cible pour les “hackers”.
La plateforme Android largement majoritaire, n’a pas été initialement conçue en mettant en avant la sécurité, ce que Google tente peu à peu de corriger. Les menaces sur le système Android sont nombreuses.
En particulier, les applications développées en Java puis ensuite distribuées sous forme de bytecode offrent peu de résistance au “reverse engineering” et les solutions d’obfuscation (comme Proguard) restent limitées.
Dans le même temps, la publication d’applications sur le Google Play Store n’est pas soumise à validation comme par exemple dans l’Apple Store. Les applications mal intentionnées ne sont retirées qu’après coup. Dans ce contexte, les hackers peuvent alors tranquillement étudier le comportement interne d’une application, la copier, lui injecter du code malicieux, la republier puis attendre qu’elle opère jusqu’à ce qu’elle soit retirée.
Si les mécanismes de sécurité Android sont encore incomplets, l’ouverture de la plateforme offre, en revanche, de nouvelles possibilités très intéressantes. En utilisant judicieusement ces dernières, il devient possible de diminuer drastiquement la surface d’attaque, notamment dans le contexte de la menace précitée.
La présentation décrira et illustrera la liste de mesures que nous avons mises en oeuvre pour protéger notre application d’authentification forte. Nous montrerons dans notre exposé comment obtenir une application unique pour chaque utilisateur et comment la lier fortement au hardware de manière à rendre la copie et la modification fortement improbables. Les techniques que nous présenterons sont innovantes et encore peu utilisées… mis à part par certains malwares avancés.
Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult CasesPositive Hack Days
A participant will acquire the following skills: detecting complex vulnerabilities in web applications, manually analyzing the results of scanning web application security, assessing efficiency of specialized means of protection, such as a web application firewall.
Web Application Penetration Tests - Vulnerability Identification and Details ...Netsparker
These slides explain what the Vulnerability Identification stage consists of during a web application security assessment.
These slides are part of the course Introduction to Web Application Security and Penetration Testing with Netsparker, which can be found here: https://www.netsparker.com/blog/web-security/introduction-web-application-penetration-testing/
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
One of the reasons application security is so challenging to address is that it spans multiple teams within an organization. Development teams build software, security testing teams find vulnerabilities, security operations staff manage applications in production and IT audit organizations make sure that the resulting software meets compliance and governance requirements. In addition, each team has a different toolbox they use to meet their goals, ranging from scanning tools, defect trackers, Integrated Development Environments (IDEs), WAFs and GRC systems. Unfortunately, in most organizations the interactions between these teams is often strained and the flow of data between these disparate tools and systems is non-existent or tediously implemented manually.
In today’s presentation, we will demonstrate how leading organizations are breaking down these barriers between teams and better integrating their disparate tools to enable the flow of application security data between silos to accelerate and simplify their remediation efforts. At the same time, we will show how to collect the proper data to measure the performance and illustrate the improvement of the software security program. The challenges that need to be overcome to enable teams and tools to work seamlessly with one another will be enumerated individually. Team and tool interaction patterns will also be outlined that reduce the friction that will arise while addressing application security risks. Using open source products such as OWASP ZAP, ThreadFix, Bugzilla and Eclipse, a significant amount of time will also be spent demonstrating the kinds of interactions that need to be enabled between tools. This will provide attendees with practical examples on how to replicate a powerful, integrated Application Security program within their own organizations. In addition, how to gather program-wide metrics and regularly calculate measurements such as mean-time-to-fix will also be demonstrated to enable attendees to monitor and ensure the continuing health and performance of their Application Security program.
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin, Inc.
RFP Template for healthcare organizations to use when looking for a qualified information security assessment firm to perform a HIPAA Security Risk Analysis as defined in the HIPAA Security Rule 45 CFR 164.308(a)(1)(A).
Apache Shiro, a simple easy-to-use framework to enforce user security by Shiro PMC Chair and Stormpath CTO, Les Hazlewood.
http://shiro.apache.org
http://stormpath.com
How-To-Guide for Software Security Vulnerability RemediationDenim Group
The security industry often pays a tremendous amount of attention to finding security vulnerabilities. This is done via code review, penetration testing and other assessment methods. Unfortunately, finding vulnerabilities is only the first step toward actually addressing the associated risks, and addressing these risks is arguably the most critical step in the vulnerability management process. Complicating matters is the fact that most application security vulnerabilities cannot be fixed by members of the security team but require code-level changes in order to successfully address the underlying issue. Therefore, security vulnerabilities need to be communicated and transferred to software development teams and then prioritized and added to their workloads. This paper ex- amines steps required to remediate software-level vulnerabilities properly, and recommends best practices organizations can use to be successful in their remediation efforts.
Metrics & Reporting - A Failure in CommunicationChris Ross
Wisegate recently conducted a research initiative to assess the current state of security risks and controls in business today. One of the key takeaways? A concerning lack of metrics and reporting on the subject. While CISOs claim to be improving corporate security all the time, there is little ability to measure that success. In this Drill-Down report, Wisegate uncovers where most organizations stand when it comes to metrics and reporting, and how it is affecting their businesses on the whole.
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
Show up to a security presentation, walk away with a specific action plan. In this presentation, James Tarala, a senior instructor with the SANS Institute, will be presenting on making specific plans for information assurance metrics in an organization. Clearly this is an industry buzzword at the moment when you listen to presentations on the 20 Critical Controls, NIST guidance, or industry banter). Security professionals have to know that their executives are discussing the idea. So exactly how do you integrate information assurance metrics into action in an organization and actually achieve value from the effort. Learn what efforts are currently underway in the industry to create consensus metrics guides and what initial steps an organization can take to start measuring the effectiveness of their security program. Small steps are better than no steps, and by the end of this presentation, students will have a start integrating metrics into their information assurance program.
Sans 20 CSC: Connecting Security to the Business MissionTripwire
You know the old break-up line, “it’s not you, it’s me….”? As a CISO, what if when you get your few minutes to discuss security with the C-suite, board of directors or mission leadership, it really turns out to be you not them who failed in the communication?
Lack of success in communicating with your C-suite could lead to a breakup sooner or later. I’ve had hundreds of conversations with and about CISOs communicating – - on topics ranging from security breach information, status, performance metrics, risk, visualizations, or overall security posture with their executive leadership.
And largely, it turns out to be no surprise that communicating security information is incredibly difficult, especially with non-technical, disinterested, or time-constrained C-suite executives.
Success with SANS
The initial UMASS Security Program was based on the ISO/IEC 27002 controls framework, then starting in 2011, the SANS 20 CSC were added. Today’s program includes both. The ISO controls focus on program management, compliance and process from an IT auditor’s perspective, while the SANS controls focus on technology means they are better aligned with IT operations.
Prior to 2011, Wilson was having difficulty communicating with executive management (CIOs and others) – it was difficult to translate the purchase and implementation issues surrounding firewalls, anti-virus, and vulnerability scanning into easily familiar business terms and concepts relevant to management and process.
However, when he ditched trying to explain the ISO/IEC 27002 security controls framework in favor of using the SANS 20 CSC, he was able to communicate much more effectively with his C-suite for the first time in a way they could absorb and support.
In addition, he and his team have been able to map out a measurable and actionable security program based on SANS that he regularly succeeds in communicating to his executive team.
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
Abstract:
While vulnerability assessments are an essential part of understanding your risk profile, it's simply not realistic to expect to eliminate all vulnerabilities from your environment. So, when your scan produces a long list of vulnerabilities, how do you prioritize which ones to remediate first? By data criticality? CVSS score? Asset value? Patch availability? Without understanding the context of the vulnerable systems on your network, you may waste time checking things off the list without really improving security.
Join AlienVault for this session to learn:
*The pros & cons of different types of vulnerability scans - passive, active, authenticated, unauthenticated
*Vulnerability scores and how to interpret them
*Best practices for prioritizing vulnerability remediation
*How threat intelligence can help you pinpoint the vulnerabilities that matter most
Remote and local file inclusion (RFI/LFI) attacks are a favorite choice for hackers and many security professionals aren't noticing. Why is RFI/LFI attractive to hackers? Our report explains why hackers exploit RFI/LFI and what security teams need to do to stop it.
7 measures to overcome cyber attacks of web applicationTestingXperts
In recent years, the cyber-attacks have become rampant across computer systems, networks, websites and have been most widely attacking enterprises’ core business web applications, causing shock waves across the IT world.It is critical to follow a cyber-security incident response plan and risk management plan to overcome cyber threats and vulnerabilities. Evidently, CXOs need to leverage web application security testing and penetration testing to overcome the possible attacks on their business applications and systems
Penetration Testing Services play an important role in enhancing the security posture of any business and, hence, are in high demand. It is a proactive and authorized effort to evaluate the security of an IT infrastructure.
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
Join Cenzic’s Chris Harget for an overview of the essentials of Web Application Security, including the risks, practices and tools that improve security at every stage of the application lifecycle.
Ce rapport produit par WhiteHat en mai 2013 offre une vision pertinente des menaces web et des paramètres à prendre en compte pour assurer sécurité et disponibilité.
In this Vulnerability Assessment training, you will get to learn to configure; proper training; respond to vulnerabilities that put your organization out of risk. https://www.cyberradaracademy.com/course/online-vulnerability-assessment-and-management-course-cyber-security.html
mastering_web_testing_how_to_make_the_most_of_frameworks.pptxsarah david
Web testing ensures that your website is error-free by detecting faults and defects before they go live. Simply put, web testing involves testing several components of a web application to ensure the website’s proper functionality.
Want to know how to secure your web apps from cyber-attacks? Looking to know the Best Web Application Security Best Practices? Check this article, we delve into six essential web application security best practices that are important for safeguarding your web applications and preserving the sanctity of your valuable data.
Web app penetration testing best methods tools usedZoe Gilbert
Read this blog to know the best methodologies of web app penetration testing and tools to gain real-world insights by keeping untrusted data separate from commands and queries, with improved access control.
This presentation offers insight on defining appsec policies, highlighting the differences from InfoSec policy, attributes of effective policy and how to make policies actionable so they map to an organization's overall security and business processes.
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
Our technology, work processes, and activities all depend on if we trust our software to be safe and secure. Join us virtually for our upcoming "Emphasizing Value of Prioritizing AppSec" Meetup to learn how to build a cost effective application security program, implement secure coding analysis and how to manage software security risks.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
2. Web Application
Vulnerability Management
Jason Pubal
Blog
www.intellavis.com/blog
Social
linkedin.com/in/pubal
twitter.com/pubal
Presentation: http://bit.ly/WebAppVMFramework
I speak for myself. My employer uses press releases. These opinions are shareware - if you like
them, send $10. Actual mileage may vary. Some assembly required. Keep in a cool, dark place.
7. Web Application
Vulnerability Management
Problems?!
What happens after deployment?
• Security issues missed during
SDLC
• New Attack Techniques
• Infrastructure Vulnerabilities
What about applications that don’t
go through the SDLC?
• Hosted Applications
• Legacy Applications
• Commercial off the Shelf
Applications (COTS)
According to the Verizon 2014 Data
Breach Investigations Report, “web
applications remain the proverbial
punching bag of the Internet” with
35% of breaches being caused by web
application attacks.
9. Web Application
Vulnerability Management
Web Application Vulnerability Management Program
> 200 Web Applications
Big company with A LOT of Internet facing web
applications.
Continuous
Assessments are running all the time,
24-7 x 365.
Actual Attack Surface
Live, production applications
New Program
Built in the last year.
10. Web Application
Vulnerability Management
Web Application Vulnerability Management Framework
Policy
Inventory Enroll Assess Assess Report Remediate
Defect Tracking
Metrics
11. Web Application
Vulnerability Management
GOAL – Identify & Reduce Risk
Vulnerability Management
cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities
Risk Management
process of identifying vulnerabilities and threats to the information resources used by
an organization in achieving business objectives, and deciding what countermeasures,
if any, to take in reducing risk to an acceptable level, based on the value of the
information resource to the organization
Understand web application specific risk
exposure and bring it in-line with
policies.
푅푖푠푘 =
푇ℎ푟푒푎푡 ∗ 푉푢푙푛푒푟푎푏푖푙푖푡푦
퐶표푢푛푡푒푟푚푒푎푠푢푟푒푠
* Value
14. Web Application
Vulnerability Management
Preparation
Policy
Give YOU the ability to do Vulnerability Assessments, Set Remediation Timelines,
Security Coding Practices, Infrastructure Configuration Policies.
Processes
Decide what you’re doing. Get stakeholder approval.
Inventory
Create and maintain an inventory of web applications.
Project Management Integration
Hook into project management as a web application “go live” requirement.
Introductory Material
Create a communications plan. Build a packet of information to give application owners
as you enroll sites.
Scanning Tools
Choose a web application vulnerability scanner that fits your program requirements.
15. Web Application
Vulnerability Management
Dynamic Application Security Testing (DAST)
Detect conditions indicative of a security vulnerability in an
application in its running state
1. Spider Application
2. Fuzz Inputs
3. Analyze Response
17. Web Application
Vulnerability Management
Building your Inventory - Reconnaissance
Google
Google for you company. Go through the top 100 results. Build a list of websites.
NMAP
nmap -P0 -p80,443 -sV --script=http-screenshot <ip range/subnet>
Recon-ng
Web reconnaissance framework.
Google Dorks, IP/DNS Lookups, GPS, PunkSPIDER, Shodan, PwnedList, LinkedIn, etc…
DNS
Make friends with your DNS administrator
Reverse Lookups – ewhois.com
Reverse email lookup. Google Analytics or AdSense ID.
24. Web Application
Vulnerability Management
Not Infrastructure Vulnerability Management
Not a cookie cutter patch
Development team has to take time away from building new functionality.
Legacy Applications
What if we are no longer actively developing the application?
What if we don’t even employ developers who use that language?
Software Defects
Infrastructure folks have been doing patch management for years. Software developers
have fixing “bugs.” Frame the vulnerability as a code defect
Determine Level of Effort
Each fix is it’s own software development project.
Technical vs. Logical Vulnerabilities
A technical fix is usually straightforward and repetitive. Logical fixes can require
significant redesign.
25. Web Application
Vulnerability Management
Common Mistakes
Send PDF Report of 100 Vulnerabilities to Dev Team!
Avoid Bystander Apathy
Use Development Team’s Defect Tracking Tool
No Approval or Notification
Knocking over an application that no one knew you were scanning could have
detrimental political effects.
Not Considering Business Context in Risk Ratings
Only looking at the automated tool’s risk ranking is not sufficient. Take the applications
business criticality into consideration.
Forcing Developers to Use New Tools & Processes
Communicating with development teams using their existing tools and processes helps
to decrease friction between security and development organizations.
27. Web Application
Vulnerability Management
GOAL – Identify & Reduce Risk
Vulnerability Management
cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities
Risk Management
process of identifying vulnerabilities and threats to the information resources used by
an organization in achieving business objectives, and deciding what countermeasures,
if any, to take in reducing risk to an acceptable level, based on the value of the
information resource to the organization
Understand web application specific risk
exposure and bring it in-line with
policies.
푅푖푠푘 =
푇ℎ푟푒푎푡 ∗ 푉푢푙푛푒푟푎푏푖푙푖푡푦
퐶표푢푛푡푒푟푚푒푎푠푢푟푒푠
* Value
28. Web Application
Vulnerability Management
Metrics
Consistently Measured
Anyone should be able to look at the data and come up with the same metric using a
specific formula or method. Metrics that rely on subjective judgment are not good.
Cheap to Gather
Metrics ought to be computed at a frequency commensurate with the process’s rate of
change. We want to analyze security effectiveness on a day-to-day or week-by-week
basis. Figuring out how to automate metric generation is key.
Expressed as a Number or Percentage
Not with qualitative labels like high, medium, or low.
Expressed Using at Least One Unit of Measure
Defects, hours, or dollars. Defects per Application. Defects over Time.
Contextually Specific
The metric needs to be relevant enough to decision makers that they can take action. If
no one cares, it is not worth gathering.
29. Web Application
Vulnerability Management
Metrics
Security Testing Coverage
Percentage of applications in the organization that have been subjected to security testing.
Vulnerabilities per Application
Number of vulnerabilities that a potential attacker without prior knowledge might find.
You could also count by business unit or critically.
Company Top 10 Vulnerabilities
Like OWASP top 10, but organization specific
Mean-Time to Mitigate Vulnerabilities
Average time taken to mitigate vulnerabilities identified in an organization’s
technologies. This speaks to organization performance and the window in which the
vulnerability might be exploited.
31. Web Application
Vulnerability Management
Web App VM On the Cheap
Dynamic Application Security Testing (DAST) Tools
BurpSuite - $299, single license
OWASP Zed Attack Proxy (ZAP) – Open Source
Vulnerability Aggregation
ThreadFix – Open Source
Defect Tracking
JIRA - $10, 10 users
Bugzilla – Open Source
32. Web Application
Vulnerability Management
Jason Pubal
Blog
www.intellavis.com/blog
Social
linkedin.com/in/pubal
twitter.com/pubal
Presentation: http://bit.ly/WebAppVMFramework