HVC2012 | 8-Nov-12 Application Performance Monitoring Ofer Maor CTO HVC2012 8 Nov 2012 Haifa, Israel.

Slides:



Advertisements
Similar presentations
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
Advertisements

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Building an Effective SDLC Program: Case Study Guy Bejerano, CSO, LivePerson Ofer Maor, CTO, Seeker Security.
© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.
Risks  All projects have some degree of risk  Risks are issues that can cause problems  Delay in schedule  Increased project costs  Technical risk.
Systems Analysis and Design 8th Edition
Chapter 8 Managing IT Project Delivery
© 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
Chapter 15 Design, Coding, and Testing. Copyright © 2005 Pearson Addison-Wesley. All rights reserved Design Document The next step in the Software.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Software Security Testing by Gary McGraw, Bruce Potter presented by Edward Bonver 11/07/2005.
OWASP APPSEC, 2013 JEREMIAH GROSSMAN Founder and THE REAL STATE OF WEBSITE SECURITY and THE TRUTH ABOUT ACCOUNTABILITY and “BEST-PRACTICES.”
Embedding Security into a Software Development Methodology April 5 th, 8:30 AM Jonathan Minter Director, IT Development and Engineering Liberty University.
High Level: Generic Test Process (from chapter 6 of your text and earlier lesson) Test Planning & Preparation Test Execution Goals met? Analysis & Follow-up.
© Company Confidentialwww.itcinfotech.com Business Case for Test Automation S.Janardhanan Chief Technology Officer ITC Infotech India Limited Business.
What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
IT:Network:Microsoft Applications
Vulnerability Management Dimension Data – Tom Gilis 24 November 2011.
SafeZone® patent pending 1 Detect. Inform. Prevent. NERC Physical Security Standards and Guidelines SafeZone® Detect. Inform. Prevent.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.
Systems Analysis and Design in a Changing World, 6th Edition
Information Security Issues at Casinos and eGaming
CSCE 548 Secure Software Development Risk-Based Security Testing.
1 Software Testing (Part-II) Lecture Software Testing Software Testing is the process of finding the bugs in a software. It helps in Verifying and.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
 Protect customers with more secure software  Reduce the number of vulnerabilities  Reduce the severity of vulnerabilities  Address compliance requirements.
Test Roles and Independence of Testing Telerik Software Academy Software Quality Assurance.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Version 02U-1 Computer Security: Art and Science1 Penetration Testing by Brad Arkin Scott Stender and Gary McGraw.
Chapter 21 Distributed System Security Copyright © 2008.
Montgomery County, Maryland DTS CMMI Approach & Implementation Mike Knuppel 03/20/2006.
Software Assurance Session 13 INFM 603. Bugs, process, assurance Software assurance: quality assurance for software Particularly assurance of security.
1 Introduction to Software Engineering Lecture 1.
CSCE 522 Secure Software Development Best Practices.
1 TenStep Project Management Process ™ PM00.9 PM00.9 Project Management Preparation for Success * Manage Quality *
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Securing Your Enterprise with Enterprise Manager 10g Amir Najmi Principal Member of Technical Staff System Management Products Oracle Corporation Session.
CSCE 548 Secure Software Development Security Operations.
Theories of Agile, Fails of Security Daniel Liber CyberArk.
CSCE 201 Secure Software Development Best Practices.
South Wales Cyber Security Cluster A networking group with a purpose Membership Open to anyone with an interest in Cyber Security.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
LOGO TESTING Team 8: 1.Nguyễn Hoàng Khánh 2.Dương Quốc Việt 3.Trang Thế Vinh.
Computer Security By Duncan Hall.
OWASP ASVS Levels1234 Tools Manual Test and Review Manual Design Review At higher levels in ASVS,the use of tools is encouraged. But to be effective,the.
What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.
Checkmarx choose what developers use. About us o Founded in 2006 o Enterprise Grade Static and Interactive Application Security Testing Solutions o Hundreds.
FROM CONTINUOUS INTEGRATION TO VIRTUAL PATCHING BUILDING APPSEC ALL ALONG THE WEB APPLICATION LIFECYCLE.
Security Development Lifecycle (SDL) Overview
CSCE 548 Secure Software Development Security Operations
Presented by Rob Carver
CSCE 548 Secure Software Development Risk-Based Security Testing
Overview of IT Auditing
Critical Security Controls
Citrix: Proactively Addressing Enterprise Wide Access Compliance with SAP® Access Violation Management Company Citrix Systems Inc. Headquarters Ft. Lauderdale,
Security Standard: “reasonable security”
Project Management and Information Security
Speaker’s Name, SAP Month 00, 2017
Oklahoma City.
Getting benefits of OWASP ASVS at initial phases
Risk Management CSCE 489/689 (Software Security) Fall 2018
Continuing Education Solutions
Presentation transcript:

HVC2012 | 8-Nov-12 Application Performance Monitoring Ofer Maor CTO HVC Nov 2012 Haifa, Israel

HVC2012 | 8-Nov-12 Application Security 101 Short Hacking Demo Vulnerability vs Bug Quality, Quality, Quality Real Risk vs Bad Coding S for Security (Secure DLC) QA & Application Security? Q&A

HVC2012 | 8-Nov years in information/application security (Over 10 years hands on penetration testing) Research, Development, Enhancement –Attack & Defense Techniques –WAF / AppSec Testing Products Regular Speaker in Security Conferences OWASP Global Membership Committee & Chairman of OWASP Israel

HVC2012 | 8-Nov-12 Leader in Application Security Testing New Generation, Data Oriented Approach –Analysis of application data and code –Exploit verification to classify risk. Intuitive & Easy to Use Enabling Security as part of QA

HVC2012 | 8-Nov-12 Open Web & Application Security Project World Wide Community Promoting AppSec 58 Companies, 52 Universities, 2000 Members Thousands of Articles, Presentations, Projects Over 20,000 Participants in Activities OWASP Israel – Local Israeli Chapter 1 Annual Conference + Quarterly Meetings

HVC2012 | 8-Nov-12 What are Application Vulnerabilities? Application Security in Numbers: –Over 97% of applications are vulnerable –90% of attacks take place in app/data layer –Spending over 1B$ annually, 40% growth Risk to Critical Data & Business Processes Requires Mitigation as part of Software

HVC2012 | 8-Nov-12 URL Source Code: / SearchBranch.aspx?p_address=Athens Assembly Path:C:\Windows\Microsoft.NET\Framework\v \Temporary ASP.NET Files\luftbank\d \716bda9a\assembly\dl3\36cb53c6\00dde867_5965cb01\Luft.General.DLL Pseudo source code of execution from Luft.General.GeneralDB.searchBankBranch : { text += " and "; } text = text + " Address like '%" + p_address + "%'"; } DbCommand sqlStringCommand = database.GetSqlStringCommand(text); return database.ExecuteDataSet(sqlStringCommand); }

HVC2012 | 8-Nov-12 Query Generated (Normal Conditions) Attack Query Generated under Attack SELECT ID,Name,Address FROM Dyn_Branch WHERE Address like '%Athens %' /SearchBranch.aspx?p_address=Athens' and 7 = 8 union select 1,name, 'zFw03' from (select top 20 name from sysobjects order by name) xxx -- SELECT ID,Name,Address FROM Dyn_Branch WHERE Address like '%Athens' and 7 = 8 union select 1,name,'zFw03' from (select top 20 name from sysobjects order by name) xxx--%'

HVC2012 | 8-Nov-12 URL User A Sample Record Database Records Query (No Validation) SELECT [Date] as TransDateTime, dbo.udf_dateToString ([Date]) as TransDate,ID, Owner, Amount,Balance FROM Dyn_AccountTransactions WHERE ID= /9/ :48:10 PM, , Jack Daniel, 3330, User A = , , User B = , ,

HVC2012 | 8-Nov-12 DEMO

HVC2012 | 8-Nov-12 Different, but Similar Inherently – It’s a Problem in the Code But There is a Difference… –Bug: Something should work, but doesn’t. –Vulnerability: Something works, but shouldn’t Findings Vulnerabilities is Harder… –No specific specifications to compare to –Infinite possibilities…

HVC2012 | 8-Nov-12 Nonetheless, it is another bug… We need to avoid it… If we can’t avoid it, we need to find it… Once we find it, we need to fix it… And then retest it… Until it’s verified. Therefore… Security is “just” Another Quality Issue

HVC2012 | 8-Nov-12 Early Detection – A Must Late Detection… –High Cost of Remediation (1, 6, 15, 100) –Delay in Deployment or… –Risk in Production

HVC2012 | 8-Nov-12 Secure Development Lifecycle – A Must Like Any Other Quality Aspect –Start Early (Design) –Code Right (Yeah Right…) –Test Early, Test Plenty –Fix –Retest –Repeat… (This loop has to end sometime…)

HVC2012 | 8-Nov-12 Insecure Code – Wide Definition Not All Bad Practices Lead to Vulnerabilities Not All Vulnerabilities Are Exploitable Need to Define What is “Insecure” –Identify Real Risk –Assess Business Impact –Analyze Affected Data

HVC2012 | 8-Nov-12 If it’s “just another” Quality Issue – Responsibility for QA Team? Yes, But… –Different Mind Set –Lack of Security Knowhow –Lack of Skill –Lack of Tools –Existing Tools Not Targeting QA… –Expensive to Outsource (Security Services)

HVC2012 | 8-Nov-12 Empowering QA for Security Testing through Automatic Security Testing Automatic Solution That Is… –Reliable & Repeatable –Requires No Security Expertise –Accurate & Relevant Results (No FP/FN) –Provides Results Usable by Developers –Easy to Integrate (Continuous Integration, Ticketing Integration, Fix Tracking, Verification)

HVC2012 | 8-Nov-12 Application Security – A Real Problem Vulnerability – “Just” Another Bug Vulnerabilities Must be Eliminated by R&D Application Security – A Quality Issue QA Teams Must Acquire Capabilities Automation – The Right Solution for Application Security Testing in QA

HVC2012 | 8-Nov-12 Application Performance Monitoring Ofer Maor

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.