sumnevaSERT Presentation

284 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
284
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

sumnevaSERT Presentation

  1. 1. sumnevaSERT
  2. 2. AGENDA• Overview• Demonstration• Summary2 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  3. 3. Overview3 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  4. 4. INSECURITIES• We live in a time where the security of data is the most emphasized yet least practiced thing • WikiLeaks • HBGary • Epsilon• Unfortunately, adding security to our applications is almost always event driven or reactive4 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  5. 5. CUSTOMER DEMAND• Despite this, we’re all tasked with quickly developing applications for our customers/ clients • Often times, we take shortcuts and leave out things, like security • Not because we want to, because we have to5 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  6. 6. EXCUSES, EXCUSES...• We make many, many excuses to ourselves as to why we didn’t adequately secure our applications: • Not enough time • No one cares about the data/application • It’s “internal only” • Our users are not smart enough to do anything malicious • False sense of security6 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  7. 7. RECIPE FOR DISASTER• Given: • The stresses of getting our applications released quickly • The lack of time we have to do so• Our applications - APEX & otherwise - are likely to have potential security vulnerabilities that we could easily fix • If we only knew what they were and had the time...7 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  8. 8. SUMNEVASERT• sumnevaSERT: Security Evaluation & Review Tool• APEX application designed to evaluate and identify potential security issues in other APEX applications • Supports APEX 4.0+ • Runs on any edition of the database • Can be easily customized to meet your specific security and/or QA requirements8 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  9. 9. HOW IT WORKS• sumnevaSERT uses a simple scoring & red light/ green light approach to evaluate your application based on a number of pre-defined criteria • Each application gets a score based on the result of evaluating an attribute • Percentage as well as X of Y points • Each attribute evaluated either passes or fails • Pass yields a point; failure yields none9 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  10. 10. HOW IT WORKS An authorization scheme was expected, but not found. Thus, this attribute failed. The developer can click on Fix and see step-by-step instructions.10 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  11. 11. WHAT IT LOOKS FOR• sumnevaSERT ships with a set of attributes that inspect APEX applications for the following: • Application Settings • Session State Protection • Session Timeout • Unrestricted Items • Security Attributes • Encrypted Items • Schema Properties • Page Access • SQL Injection • Form Autocomplete • Cross Site Scripting • Authorization Schemes11 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  12. 12. ONE SIZE DOESN’T FIT ALL• If you need additional attributes inspected, you can customize sumnevaSERT as much as you like• sumnevaSERT supports a number of rule types: • NULL/NOT NULL • List of Valid Values • Less Than/Greater Than • PL/SQL12 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  13. 13. MULTI-PURPOSE• Thus, you can create your own attribute set(s) for specific purposes, for example: • General Security Attributes • General set of attributes that must be met and a minimal score must be achieved • Application with Sensitive Data • Look for specific columns in reports and flag for follow-up • Minimal Configuration Signature • Applications must use a specific authentication scheme, etc.13 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  14. 14. sumnevaSERT D E M O N S T R A T I O N14 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  15. 15. Summary15 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  16. 16. THE REALITY• sumnevaSERT will identify most security exploits that hackers and malicious users alike look for in APEX applications and provide step-by-step solutions to fix them • But it will not secure everything • There’s no such thing as a silver bullet of any sort...• You still need a strong overall security policy • Strong Passwords • Physical access control • Code Audits • Best Practices16 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  17. 17. AVAILABILITY• Initial release in Beta now • Still accepting beta customers - contact us for details• Targeted release of June 2011 • Will support APEX 4.0+17 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  18. 18. LICENSING• Per instance of APEX • Can run on as many applications as you like in as many workspaces as you like in a single instance of APEX• Contact us for details & pricing • sales@sumneva.com • +1 (703) 879-4615 • http://www.sumneva.com/sert18 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  19. 19. http://sumneva.com19 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com

×